Well, analyzers are always 'out-of-band'. Taps themselves are deployed in-line with traffic but they send traffic to analyzers out-of-band.
So, for me it is more like out-of-band.Īfter reading my explanation above, why do you think using a TAP is out-of-band monitoring?
Additionally you can mirror (copy) packets to another port. The switch is there anyway, not matter if you want to capture traffic or not. The term "in-band" refers to something which is in the line of path of the traffic flow in question And even in a bridge (also on a client/server), you'll have to copy the packets at some place to hand them over to the analyzer, which makes this an out-of-band operation as well (according to your definition). Both are kind of in-band (for me), because the regular packet flow is through these devices and they are only there ( placed in-band) to capture the network traffic. I agree with your definition of in-band and out-of-band if we are talking about an IPS.īut the question was about Wireshark and I really don't see a substantial difference between a TAP and a bridge for a network monitoring/capturing solution. Then please post the link of the official definition of 'in-band' network monitoring in conjunction with a network sniffer -) I'm sorry Kurt, but that is not the correct understanding of those terms.Īh well. The significance is that the receiver of the data can't interact in the packet flow at all (not desirable if this is an IPS), and on the other side it can't have any negative impact on the packet flow either (eg: killing the memory on the server by running an unfiltered Wireshark trace of an aggressive file transfer). Repeated/mirrored traffic sent to an analyzer is out-of-band.
Wireshark installed locally on a server that is processing request from a client in a flow you are trying to monitor is another example of in-band network monitoring because the monitoring application is directly at the network card of the server and is in the active line of path for the data flow being monitored. One reason you might want to do that is if the analysis tool is a security appliance with IPS functionality and you want it to be able to take action based on its analysis of the packet flows. The term "in-band" refers to something which is in the line of path of the traffic flow in question - it does not have to have anything to do with the packet forwarding logic itself.Īnalyzers definitely can be deployed in-band with the actual traffic being monitored. I'm sorry Kurt, but that is not the correct understanding of those terms. So if you look at it that way, there is no 'in-band' monitoring as the packets need to be 'copied' anyway to get to the analyzer -) Well, analyzers are always 'out-of-band' as they are not involved in forwarding the packets.
0 kommentar(er)
