Re: sniffing HTTP traffic to load-balancer on a

[Andrej van der Zee <andrejvanderzee () gmail com>]

Hi,

Thanks for pushing me in the right direction.

I will have to find out the network-layout of our client somehow, but
most likely it is not directly connected to the WAN. Thanks again, I
will get back as soon as I have more info.

Cheers,
Andrej


On Tue, Nov 2, 2010 at 4:15 PM, Guy Harris <guy () alum mit edu> wrote:
> On Nov 2, 2010, at 12:05 AM, Andrej van der Zee wrote:
>
> > The idea is to sniff all incoming/outgoing traffic on the WAN side of
> > the load-balancer,
>
> Is the "WAN side" implemented as:
>
>        some form of WAN (a T{n} or E{n} serial line, or an OC{n} or STM{n} optical link) going directly into the load 
> balancer;
>
>        an Ethernet coming out of some flavor of WAN-to-Ethernet router/switch/whatever;
>
>        multiple Ethernets coming out of such a device;
>
>        something else?
>
> > I mean all external traffic of users that visit the
> > web site hosted through the load-balancer. Does this change anything
> > regarding the use of "port mirroring"?
>
> If the WAN side is a WAN going directly into the load balancer, and you want to capture traffic on the WAN side, that 
> wouldn't be done with "port mirroring" unless the load balancer can funnel copies of all WAN-side traffic into an 
> Ethernet port; in that case, you'd need to somehow capture on the WAN side, e.g. with a DAG card from Endace:
>
>        http://www.endace.com/endace-dag-high-speed-packet-capture-cards.html
>
> If it's an Ethernet or multiple Ethernets coming some routing device, it might be possible to have *that* device 
> mirror the WAN traffic to a port - and if it's only one Ethernet, you could try just tapping that Ethernet.-
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.