[CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)

Fri Oct 23 16:27:05 UTC 2009
Larry Brigman <larry.brigman at gmail.com>

On Fri, Oct 23, 2009 at 9:14 AM, Neil Aggarwal <neil at jammconsulting.com> wrote:
> Hello everyone:
>
> I was just reading an ntop guide and it mentioned
> many switches have port mirroring.
>
> According to what I am reading, the Cisco I am using
> will copy all traffic to the mirror port.  Then,
> I can monitor what is going on from there.
>
> That seems like a good way to do this.
>
> Are there any pitfalls with this approach?

Yes.  Doing all traffic unless the switch is very lightly load could
saturate the mirror port.
The other pitfall is that you would need to high network performance
nic/host set to
capture that info.

>
> Would ntop be a good tool for it?
>
> I would like to graph total bytes in and out
> as well as 95% usage on an IP address level.
> I would like daily, weekly, and monthly graphs.

SNMP monitoring of the switch could get you this details without port mirroring.