Re: sniffing HTTP traffic to load-balancer on a

[Guy Harris <guy () alum mit edu>]

On Nov 2, 2010, at 12:05 AM, Andrej van der Zee wrote:

> The idea is to sniff all incoming/outgoing traffic on the WAN side of
> the load-balancer,

Is the "WAN side" implemented as:

        some form of WAN (a T{n} or E{n} serial line, or an OC{n} or STM{n} optical link) going directly into the load 
balancer;

        an Ethernet coming out of some flavor of WAN-to-Ethernet router/switch/whatever;

        multiple Ethernets coming out of such a device;

        something else?

> I mean all external traffic of users that visit the
> web site hosted through the load-balancer. Does this change anything
> regarding the use of "port mirroring"?

If the WAN side is a WAN going directly into the load balancer, and you want to capture traffic on the WAN side, that 
wouldn't be done with "port mirroring" unless the load balancer can funnel copies of all WAN-side traffic into an 
Ethernet port; in that case, you'd need to somehow capture on the WAN side, e.g. with a DAG card from Endace:

        http://www.endace.com/endace-dag-high-speed-packet-capture-cards.html

If it's an Ethernet or multiple Ethernets coming some routing device, it might be possible to have *that* device mirror 
the WAN traffic to a port - and if it's only one Ethernet, you could try just tapping that Ethernet.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.