Several types of products are available to facilitate traffic capture and protocol decoding. The traditional implementation is a special-purpose hardware-based product that can capture and decode frames. Such devices are often portable PCs with high-speed expansion slots for add-in cards. Special add-in cards are used in place of conventional network cards to ensure that traffic can be captured at high throughput rates with no frame drops. Special capture/decode software is pre-loaded by the vendor, and administrators do not install any additional software. This type of device can be inserted in-line, connected to a signal splitter, or connected to an SD port on a switch produced by Cisco Systems.
A similar but less expensive solution is a software-based traffic capture and decode product. Several such products are available; some must be purchased, and some are free. The best-known free product is Ethereal. Ethereal is a GUI-based open source package, which has very robust capabilities. Software-based products can be installed on any PC and use any conventional network card, but the performance characteristics of the PC hardware and network card determine the reliability of the traffic capture process. In some cases, frames are dropped during capture because the PC hardware or conventional network card are incapable of receiving frames at high speeds. For this reason, administrators are advised to install a dedicated network card for traffic capture rather than using a single network card for all purposes. This type of solution can be inserted in-line, connected to a signal splitter, or connected to an SD port on a switch produced by Cisco Systems. Because of the potential for dropped frames, administrators are advised not to use this type of solution in-line.
Another option is to separate the traffic capture function from the protocol decode function. That is the case with the Cisco Systems FC Port Analyzer Adapter (PAA). The PAA is supported with the MDS9000 family of switches. The PAA is a small special-purpose device with one FC interface and one Ethernet interface. The FC interface is attached to an MDS9000 switch port configured as an SD port. The Ethernet interface is typically connected via straight-through cable to a dedicated Ethernet NIC in a PC that has a software-based protocol decode package installed. Alternately, the Ethernet interface can be connected to an Ethernet switch via cross-over cable, but the PC with a software-based protocol decode package must be connected in the same Ethernet broadcast domain. Currently, only Ethereal is supported. The PAA captures FC frames, encapsulates them in Ethernet frames, and then forwards the Ethernet frames to the PC. The Ethernet frames are de-encapsulated by Ethereal, and then the FC frames are decoded by Ethereal.
A fourth option is to integrate a software-based traffic capture and decode product into the control plane of a switch. That is the case with the MDS9000 family. The text-based implementation of Ethereal (called Tethereal) is built into the operating system of the MDS9000 family (called SANOS). This feature is called the Cisco Fabric Analyzer. It can be used to capture and decode control traffic such as FLOGI requests and RSCNs. Captured frames can be decoded in real time, saved to a file for future decoding, or encapsulated in TCP/IP and forwarded in real time to a PC that has Ethereal installed.
A fifth option is to integrate a hardware-based capture and decode product into a switch. That is the case with the Cisco Systems Network Analysis Module (NAM). The NAM is available for the Catalyst family of switches. The NAM can capture and decode frames from multiple ports simultaneously. The NAM provides access to the decoded frames via an integrated web server.