Breaking out single connection to many for monitoring

David Jager jager at
Thu Sep 4 17:11:08 GMT 2003

We're just wondering how others accomplish the task of breaking out a single
network connection, such as an institution's Internet connection, to multiple
connections for the purpose of attaching various monitoring devices such as
sniffers, argus boxes, ids boxes, etc. We currently use a NetOptics passive
fiber tap in our uplink, then aggregate the Rx & Tx traffic in a dedicated
switch via port mirroring, and then on to a 100 Mbps hub for distribution to our
various monitoring devices. This has served us reasonably well for our current
bandwidth which averages less than 30 Mbps (what we can afford), but the
question on our minds is how to prepare for higher bandwidths and ensure no
dropped packets or other issues for the monitors. I have read various threads on
concerns about dropped packets using port mirroring and others on the
questionable use of hubs in this type of scenario. I have looked at the
NetOptics 2x1, 4x1, 8x1 regeneration taps, but each of the multiple outputs
require that the Rx & Tx streams be aggregated in a separate device, and this
certainly increase the cost.

Also, what if you are multi-homed & have to aggregate more than one (internet)
connection into your monitoring?

How does everyone currently accomplish this very necessary task in a reliable
and cost-effective manner? Any input would be appreciated.


David Jager
IT Network Services
University of Calgary

