Colasoft Knowledge Base Installation Issues Capture Environment Setup

Capture Environment Setup

E-mail Print PDF

nChronos server program successfully installed on a server, next you should connect the server to correct devices to capture traffic. The correct devices are the networking devices with all network traffic you want to monitor and they are able to send copies of the traffic to your server’s NIC. nChronos server will automatically set the server’s NICs into promiscuous mode so that all traffic gets to the server will be captured.

Generally, the correct devices include, managed switches, hubs and Network Taps. A managed switch is the perfect choice that you can configure it to make a copy of all packets traversing through the switch, and send the copy packets to a certain monitor port. Then nChronos server receives all packets from this port. This function is named Port Mirroring (Cisco calls it SPAN). For more details about port mirroring, please visit Switch Management on our website.

Managed switch

You should set up capture environment on a managed switch as figure below:

The nChronos server should have two pieces of network cards, one for network data capture, and another for console connection. Note that the figure above mentions core switch, also you are suggested to implement nChronos server to monitor all switches with mission-critical traffic, such as web server, database server, CRM server, etc.

Hub

If there is not a managed switch in your network, you may use a hub or a network tap to get your network traffic. Note that a general hub can only process 100 Mbps of traffic, and it’s not a good choice for a modern network. But if the network traffic is small, a hub is also an economy choice.

Network Tap

Besides using a hub to capture traffic from a small network, a network tap is a more wise choice to be used to capture traffic from a duty heavy network without a managed switch. A network tap is like a network traffic duplicator, which is able to make a copy of each packet and send it to your server. For example, you can put a network tap between a switch and a router, and you can get all traffic, inbound and outbound, between the two.

The difference between a network tap and a managed switch is that network tap will NOT affect the network performance, which means almost no packet lost. While on a managed switch, if it receive a large amount of packets at peak and the switch reaches its max processing ability, it will give packet switching higher priority, at the same time, mirroring packets will be left behind, which means packet lost. The only disadvantage is that a network tap is a hardware device, which requires additional investment.

Last Updated on Thursday, 16 June 2011 03:37  

Add comment


Security code
Refresh