RE: RE: Sniffing out a firewall problem

["Chiman" <chiman () hawaiian net>]

Just a few points to consider in this, some will be obvious to a lot of
folks.

1.) In a switched environment, remember that a device on a single port won't
see broadcast packets on another
port.

2.) Someone mentioned looking at switch for colls, routers can also collect
logs, on the "backbone",
but be careful not to turn on too much logging, and killing the performance
of the router.

3.) lastly remember that when snooping from a unix box you won't see errs or
outflowing traffic that, *that* deivce
(the one doing the snooping) is creating.  snoop(1M), at least, looks
outward.


-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Robert McMahon
Sent: Sunday, November 04, 2001 8:09 AM
To: Ryan Russell; Peter Lukas
Cc: ayoung () veros com; firewall-wizards () nfr com
Subject: RE: [fw-wiz] RE: Sniffing out a firewall problem


Related to this is that hubs (which by their nature share a collision
domain), operate at only half-duplex.  I agree with Ryan, in that you have
to compare with total traffic.  I use to raise a flag (and look at
segmenting) when collision rate > 3-5 % in the days I use to run a hub
architecture.  I recall an O'Reilly book on "performance tuning" (has a
swordfish on cover), which is a great book that addresses these concerns.

Switches are not subject to having "polite" converstations, therefore, can
listen and reveive at same time - full duplex.

/rm

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Ryan Russell
Sent: Saturday, November 03, 2001 8:39 PM
To: Peter Lukas
Cc: ayoung () veros com; firewall-wizards () nfr com
Subject: Re: [fw-wiz] RE: Sniffing out a firewall problem


On Sat, 3 Nov 2001, Peter Lukas wrote:

> You'll get some pretty useful stats. Typically, any system with Ierrs,
> Oerrs or Collis will be experiencing a problem. Check caples, duplex
> settings and of course, the card /switch port itself.

Please be careful about making blanket statements about collisions
automatically meaning problems.  On any connection that is supposed to be
half-duplex Ethernet-style, collisions are perfectly normal, and you have
to measure collisions against total traffic to even have a rudimentary
problem measurement.

Sorry, it's a pet peeve of mine.  When I used to be primarily a network
engineer, I would have systems administrators come to me and report that
the system was reporting collisions, please fix the network.  I'd reply
that it was running half-duplex.  <blank stare>

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards