POE Switch w/Port Mirroring: Recommendations?

Discussion in 'Wireless Internet' started by (PeteCresswell), Jan 5, 2015.

  1. Troubleshooting a wireless link.

    Want to use WireShark to verify that packets that start out at Location
    A reach the right address at Location B.

    The hitch is that the addr at Location B is an IP cam.... so I want to
    swap out the dumb switch at Location B for one that can mirror
    everything that hit's that IP cam's addr to another outlet on the switch
    that is connected to a PC running WireShark.

    I see plenty of stuff for big bucks.... but can anybody recommend
    something for less than $200?

    Only 4 POE ports needed.
     
    (PeteCresswell), Jan 5, 2015
    #1
    1. Advertisements

  2. Before you do that, can you run one of the failing cameras on local
    power and NOT use the PoE power? If it continues to work, with the
    remaing two HikVision cameras fail, then there's something odd
    happening inside the Trendnet PoE thing.

    Running it on external power also helps for sniffing the traffic with
    Wireshark. I have an Ethertap, but in this case, it's overkill. I
    suggest you simply insert a 10/100baseT *HUB* (not an ethernet switch)
    in series between the Trendent switch and whatever you're testing.
    Hubs are "repeaters" which means the retransmit everything that goes
    in any port, to all the other ports. I carry a hub around in my
    Subaru specifically for such sniffing. Light reading:
    <http://wiki.wireshark.org/CaptureSetup/Ethernet>

    Otherwise, you get to build a passive ethernet tap:
    <http://www.instructables.com/id/Make-a-Passive-Network-Tap/>
    <http://vcabbage.com/2010/07/17/building-a-passive-network-tap/>
    <https://www.google.com/search?q=passive+ethernet+tap&tbm=isch>
     
    Jeff Liebermann, Jan 5, 2015
    #2
    1. Advertisements

  3. Jeff Liebermann, Jan 5, 2015
    #3
  4. Per Jeff Liebermann:
    I like the hub. Sounds like something I should get ASAP and add to my
    Ethernet Tools box just on GPs.

    One issue here is that I cannot provoke the problem for study purposes.
    I have to have everything in place and ready to go and then wait for the
    problem to manifest.

    Should have thought to replace the POE power on a problem cam... but I
    did swap out the POE switch (same make, similar model albeit with higher
    power.... 1.25a instead of .8a).... with no change in the problem
    cams... so I am thinking maybe that lets the POE switch off the hook.
    But the next time I go down there, I will plug one of the problem cams
    into a non-powered port and supply power separately.
     
    (PeteCresswell), Jan 5, 2015
    #4
  5. Yep. It's handy. Someone on eBay is selling old Netgear 10/100 hubs
    specifically for use with Wireshark at outrageous prices.
    Nothing every fails when you're watching. Try turning your back.

    What I do for such things is install monitoring or instrumentation. If
    the devices can handle SNMP, I install a MIB browser and MRTG grapher
    on a loaner PC. I NEVER install it on one of the customers machines
    because that might affect the failure mode. For extreme cases, I
    monitor AC line voltage, temperature, and server room lighting, all of
    which have played a part in past failures.

    However, in this case, methinks it's a bit extreme. Fire up some kind
    of uptime monitor that uses ping to track failures.
    <https://www.tools4ever.com/software/additional-software/freeping/>
    You'll get a good display and history on what parts of the network are
    failing.

    Also, look for "new" devices. For Linux, I use arpwatch. For
    Windoze, Airsnare:
    <http://home.comcast.net/~jay.deboer/airsnare/>

    In other words, bait the trap, and wait for the culprit.
    Ummm... I mentioned it twice in previous advice. PoE has been a
    rather odd problem for me. When it fails from overload or
    insufficient AC voltage, there's sometimes no indication that anything
    has gone wrong.
    Probably, especially since power cycling the Ubiquiti radio (which
    end?) recovers the connection and has nothing to do with the PoE
    system, unless the Ubiquiti radios are running on the PoE switch.
    Oh-oh.
    Yep. Just one, not all 3 of them.
     
    Jeff Liebermann, Jan 5, 2015
    #5
  6. Per Jeff Liebermann:
    No - the radios run on their own POE injectors.
     
    (PeteCresswell), Jan 5, 2015
    #6
  7. Per Jeff Liebermann:
    Why all 3?

    My reasoning was that it would be instructive if the cam on it's own
    power source stayed up while the two on POE went down on the next
    iteration of the problem.

    ??
     
    (PeteCresswell), Jan 5, 2015
    #7
  8. Just one camera on AC power. There are three HikVision cameras that
    are affected. The Trendnet camera seems immune. The idea is to
    locally power only one of the HikVision cameras, to see if it makes a
    difference. If the other two PoE powered HikVision cameras fail as
    before, but the one running on AC continues to operate, then it's like
    it has something to do with PoE.
    Yeah, that's it.
     
    Jeff Liebermann, Jan 5, 2015
    #8
  9. (PeteCresswell)

    ps56k Guest

    I think you have to look for a 10mb only - without any 100mb -
    I think once 100mb gets added, it no longer does the all-port "broadcast",
    and becomes a "switch" vs the old style repeating "hub".

    I have a couple of the little 4 or 5 port 10mb "hubs" just for that purpose.
     
    ps56k, Jan 7, 2015
    #9
  10. Next to me is a pile of Nyetgear DS104, DS106, and DS108 10/100 hubs
    which is what I use.
    <http://802.11junk.com/jeffl/pics/drivel/hubs.jpg>
    Connecting the computah at 100 and sniffing simultaneous traffic at 10
    mbits/sec on more than one port at a time, is especially useful.

    However, what you describe is a known issue:
    <http://wiki.wireshark.org/HubReference> [1]
    All that's necessary is to make sure that the sniffing PC has the IP
    address set in the same Class C IP block as the rest of the network,
    and it works normally. However, when sniffing networks that carry
    multiple IP blocks, it screws up badly and I have to fish out a 10 or
    100 mbit/sec hub, use my home made ethernet tap, or use my overpriced
    and borrowed ethertap:
    <http://www.netoptics.com/products/network-taps/101001000baset-tap>
    Ebay price is about $1,000.
    Likewise, but most of my customers networks are 100 baseT or 1000
    baseT gigabit. There's no such thing as a gigabit hub, so I have to
    either use the overpriced ethertap, or slow things down to 100baseT.

    More on taps:
    <http://wiki.wireshark.org/TapReference>
    <http://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html>
    <http://www.winsnort.com/topic/24-ho...on-detection-system-winids-companion-add-on/>

    [1] Note the comments on "fake hubs". That wasted about two full days
    of head scratching until I found the problem.
     
    Jeff Liebermann, Jan 7, 2015
    #10
  11. Per (PeteCresswell):
    I am thinking about dropping $260 on a NetGear 8-port smart switch as in
    http://www.newegg.com/Product/Product.aspx?Item=N82E16833122367

    The plan is to temporarily swap it in at the problem IP cam site so that
    I can do two things:

    - Mirror the port of one cam to a PC so I can WireShark the traffic

    - Selectively turn cameras off so I can test somebody's hypothesis
    that there is a bandwidth issue.


    And, once it's job is done there, I'll take it home and expect some
    hours of entertainment sniffing around my own LAN.

    One of my assumptions vis-a-vis all smart switches is that their setup
    is via web pages that are accessible over the WAN or, at least, over
    their LAN. i.e. no travel to the site where they live is needed.


    Comments?
     
    (PeteCresswell), Jan 7, 2015
    #11
  12. <http://support.netgear.com/product/GS110TP>

    There are a bunch of GS110TP-100NAS used switches for sale on eBay for
    about $75.
    <www.ebay.com/sch/i.html?_nkw=GS110TP>

    Note that there is also the later GS110TP-200NAS and other options. I
    don't have time to decode the differences right now.

    Review site:
    <http://www.smallnetbuilder.com/lanw...art-switch-with-2-gigabit-fiber-sfp-reviewed>

    One of my customers has one that I setup solely for MAC level traffic
    shaping. (i.e. low priority and bandwidth to "guest" traffic). I've
    never tried the port mirroring.
    It has a local LAN IP address on port 80, just like any other LAN
    device. If you want access from outside, you can either use
    Teamviewer on a local LAN PC, or setup your Comcast router for port
    forwarding, or run a VPN to access the entire LAN from your remote PC.
    Have you ever used Wireshark? You don't just sit on a network and
    continuously sniff everything. You capture a set amount of data,
    typically about 5 minutes worth, and then have Wireshark decode the
    capture file.

    You can run Wireshark continuously as a protocol analyzer, but you
    need lots of horsepower. If your monitor PC is located near the
    monitor port, that might work. If you are planning to backhaul the
    live capture data via the wireless bridge or even the wired network,
    forget it. You don't have the bandwidth.
     
    Jeff Liebermann, Jan 7, 2015
    #12
  13. Per Jeff Liebermann:
    I am currently trying to climb the learning curve. In fact, that is
    what led me to the smart switch/Ethernet hub thing: the realization
    that, if I want to sniff packets to (for instance) camera 10.0.0.145
    WireShark running on a nearby PC cannot do it unless the traffic to
    10.0.0.145 is also directed to the PC....i.e. "Port Mirroring" or a hub.

    I can see I have a loooooong way to go.... but I'm sure to come out of
    this knowing stuff:

    - That I did not know before
    - That most people never even heard of

    One more step up the curve... Thanks!.... My plan was to run WireShark
    continuously on each end of the radio link in hopes of having the cams
    go down while it was running. If I got lucky, maybe I could determine
    whether-or-not a given packet addressed to 10.0.0.145 made it across the
    radio link to the other side.

    If packets are not making it... that would seem to further support the
    radio link theory. But if they *are* making it, that's a whole new
    ball game.

    Right now, I am only doing Display filters. Could use of Capture
    filters reduce the horsepower requirements?

    FWIW, my current working hypothesis is that static electricity is
    fouling up the radio links. How that could happen in such a way as to
    be camera-specific is waaaay beyond my pay grade.... but at least 3
    Ubiquiti experts have noted that my failure to use shielded cable with a
    drain wire for serving an outdoors radio link sitting atop a 15-foot
    windsurfer mast is a major lapse in installation standards.

    Something about wind blowing dust/sand past plastic - although this wire
    is inside the windsurfer mast except for about 18" up where the radio is
    attached.

    But still, they're really adamant about the shielded/drain wire cable so
    that's been promoted to an ASAP thing.... I'll order the smart switch,
    wait for a decent day, drive down... and do it all:

    - Swap out the switch

    - Replace Cat5 unshielded w/shielded

    - Install a 24-hour switch to just reboot the whole
    mess in the shop unconditionally at, say, 0100 every day

    - *Try* to add a web-accessible switch at the server end so
    I can power everything there off/on at will.

    Right now, I have a .BAT file that continuously pings a cam and writes
    the results to a .txt file. It's kind of kludgy - not smart enough to
    kick the timestamp date up when midnight passes... and I'm not sure it
    will tell me much except what I already know: that the ping results
    change in a predictable pattern when the cams go down.
     
    (PeteCresswell), Jan 7, 2015
    #13
  14. Per Jeff Liebermann:
    Just pulled the trigger on the -200NAS.

    Saw a number of superficially-similar Netgear switches and one diff was
    4 vs 8 powered ports.

    I didn't decode the diffs either... but for another hundred bucks I
    figured "Why not?"... based on my cluelessness and the hope that more
    features will be more useful...
     
    (PeteCresswell), Jan 7, 2015
    #14
  15. Per (PeteCresswell):
    Well, the GS110TP arrived and I'm starting the learning curve.

    First question (ref http://tinyurl.com/mlvpuu7):

    10.0.0.140 is the IP cam.
    10.0.0.10 is the PC issuing Ping requests.
    10.0.0.1 is the router.
    10.0.0.8 is my NAS box.

    Why is the IP cam talking to the NAS box?
     
    (PeteCresswell), Jan 14, 2015
    #15
  16. Per (PeteCresswell):
    Wrong forum.... so I put this up on alt.comp.networking.routers.
     
    (PeteCresswell), Jan 15, 2015
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.