[CentOS] What about port mirroring? (Was: Switch to measure traffic at IP level)

Fri Oct 23 16:32:31 UTC 2009
nate <centos at linuxpowered.net>

Neil Aggarwal wrote:

> Are there any pitfalls with this approach?

Performance is the biggest one. Port mirroring often
involves the CPU, and is really not built for scaling.
If your traffic levels are very low it may work fine.
Port mirroring is often a low priority task so if the
switch is busy it will drop packets on the mirror
to try to ensure availability on the normal ports.

If you have cisco gear they have NetFlow which is
similar to sFlow but NetFlow is often a software service
so has performance impact as well, depending on the
precise equipment your using.

> Would ntop be a good tool for it?

Looks like ntop has nProbe which can collect data from a
mirrored port, put it in a NetFlow packet and send it to
ntop or another collector device.

So it really depends on the scale your operating at,
if it's only 1 server with say less than 1Gbit/s of
throughput your probably OK. If it's more, sFlow is
the only thing that can scale to very high data rates
and still be cost effective as it's implemented in the
hardware of the switches.

The Extreme X350 for example is a very budget minded
gigabit switch, not much layer 3, or stacking, online
pricing puts it in the $2000 range for 48 GbE, and has
hardware sFlow -
http://www.extremenetworks.com/products/summit-x350.aspx

Optional 10GbE (even 10GbaseT for 10GbE over CAT5/6/6a)
as well.

Can go to the high end which is roughly triple the price
though offers quite a bit more features.

nate