Datacom Systems, Inc. graciously loaned me a SINGLEstream SS-1204BT/BT-S Link Aggregation TAP to test, so I’d like to share a write-up of my review in case it’s helpful for anyone investigating or wanting to learn more about aggregating TAPs, or preparing to use this or one of Datacom System’s other TAP products.
The SS-1204, like the rest of the TAPs in the SINGLEstream series, is an ‘aggregating’ TAP – which in this case means that either or both of the two monitor ports (ports 3 and/or 4) can each receive copies of traffic from *both* sides of the full duplex conversations flowing through ports 1 & 2.
SINGLEstream series TAPs are available with up to 12 ports (4 ports for 2 inline connections, 8 ports that can monitor the first 4), supporting 10/100/1G copper and SX/FX fiber, and one model that supports 10G. The TAP has a sturdy aluminum chassis and comes with a mounting bracket on one side to support installation in a rack mount kit. There are two medium sized brick power supplies and two power receptacles on the TAP for redundant power. SINGLEstream TAPs can also support secure SSH connections and SNMP v3 with proper setup.
From Datacom Systems’ product literature Overview:
The SINGLEstream SS-1204BT-BT-S Link Aggregation Tap is inserted inline (ports 1 and 2) and will collect traffic from a network link and allow you to combine it into a single output. With 2 monitoring ports (3 and 4), you can have 2 copies of that aggregate data, or when link utilization is high, keep the full duplex streams separate. For additional flexibility, the monitor ports can also receive traffic from an external mirror port or another tap, providing you the ability to tap a link and add other traffic into a single output port. See more at:
The most common and useful purpose of a link aggregation feature is to allow a single monitoring device – such as a workstation with Wireshark and a single NIC installed – to see both sides (TX & RX) of the full duplex conversations flowing through ports 1 & 2 with just the one NIC. This avoids the need to use two capture devices to get both sides of the conversations, and then having to merge the two capture files together into one file to allow a normal analysis.
This works very well unless the combined load in both directions exceeds the port speed of the monitor port (called ‘over-subscription’), in which case some packets might be discarded and fowl the analysis. If over subscription is a problem, you can attach a monitor / capture device to each of the two monitor ports (i.e., two Wireshark stations) and configure the SS-1204 to send TX packets from port 1 to one of the monitor ports, TX packets from port 2 to the other monitor port to accomplish the capture; you’ll have to merge the two capture files afterwards to allow a normal analysis.
Wireshark supports merging capture files using the mergecap.exe utility located in the Wireshark program files directory (Wireshark: Help | About Wireshark | Folders | System (double-click the link to go directly to the correct directory)). Type mergecap -h from a CMD prompt for help.
My friend Jasper Bongertz (blog.packet-foo.com) has pointed out that you should avoid doing captures on two machines because of the difficulties of synchronizing the clocks, and the related inability to properly merge the two traces together. A better alternative is to use one machine with two NICs, which probably calls for a capture appliance capable of handling the peak loads of up to 2 x 1Gbps. Thanks, Jasper!
I set up the SS-1204 in a fairly straightforward configuration: placing the TAP inline between a switch and a user workstation using ports 1 & 2, and attaching a Wireshark workstation to port 4. This is a configuration often used to capture user interactions with an application during troubleshooting and/or performance analysis activities.
Upon powering up the TAP, and if it isn’t already inline with a network path (nothing plugged into ports 1 and 2) the unit will periodically ‘click’, which is a relay switching back and forth from the LinkProtect feature – in case of total power failure to the TAP ports 1 and 2 remain connected together so the link isn’t broken. If the TAP detects a loss of link status on one of the inline ports the relay closes the connection on the other port so that routers and switches can detect the link failure and engage protocols to bypass the failed path. If link status is restored on both ports, the TAP will re-establish the link.
TAP Configuration – Connecting to the TAP
You must configure the TAP before using it. You can use the serial cable connection on the back of the unit (a cable is provided), or plug an Ethernet cable (2 are provided) into the front panel Management port. In either case you’ll use a Telnet capable utility such as HyperTerminal, Tera Term, or PuTTY to communicate with the TAP. I used Tera Term; the image below illustrates starting a connection to the TAP, the next image depicts changing the setup (Setup | Terminal -> change New-line Receive: and Transmit: settings from CR to CR+LF) to work better with the TAP. After making changes in Tera Term, select Setup | save setup… and click Save to record the changes in the TERATERM.INI file (default) or create a new config file.
Out of the box the SS-1204 is configured with IP address 192.168.1.1. Since I was testing on the ‘home’ side of my network which has a default router that is configured as 192.168.1.1, I connected an isolated workstation and configured its NIC for a 192.168.1.x address; after logging into the TAP using the 192.168.1.1 address I changed the TAP’s IP address to 192.168.1.10, terminated the connection (by typing ‘exit’), and reconnected using the .10 address.
TAP Configuration – Configuring the IP Address
After connecting to the TAP you’ll be prompted to login; the default login is Administrator with password admin To change any of the configuration options in the TAP you’ll need to be at SuperUser level; type su and enter the default password of password
After achieving SU level, you can change the IP address using the se ip xxx.xxx.xxx.xxx as illustrated above, then close the connection and re-connect using the new IP. If you need to change the subnet mask and default gateway as well, the commands are:
se ip xxx.xxx.xxx.xxx
se su xxx.xxx.xxx.xxx
se ga xxx.xxx.xxx.xxx
You’ll then disconnect / reconnect with the new IP configuration, and perhaps you’ve connected the TAP to the network so you can get into it remotely.
TAP Configuration – Configuring the Monitor Port(s)
Assuming you’ve put the TAP inline using ports 1 and 2, you’ll want to configure ports 3 and/or 4 for monitoring. In the example below, port 4 has been configured to monitor ports 1 and 2 so the Wireshark workstation attached to port 4 sees both sides of the full duplex conversations:
I experimented with various port monitoring settings – copying packets to port 3, both 3 and 4, and just from port 1 or 2 to one of the monitor ports, watching my Wireshark screen – everything worked as I expected it to.
Overall, the SS-1204BT-BT-S Link Aggregating TAP is a very solid product that works as expected and should survive being drug around as an as-needed TAP for packet analysis. The larger SINGLEstream and other series of TAPs belong in data centers – there’s a growing trend towards installing configurable, aggregating, multiple monitor-port TAPs in the data centers to support on-going and ad-hoc monitoring for security, troubleshooting, and performance analysis – I hope this trend continues. Having a monitor port readily available to analyze an issue without having to schedule downtime to install a TAP or arrange for a mirrored switch port is a huge time and effort saver.
If you need more info or pricing, contact:
Robert (Bob) Perriello
+1 (315) 372 1159
Other Configuration Options
Some of the most immediately useful commands w/ examples include:
help — (shows available commands)
show — (shows product firmware and mgmt port settings)
se po sp 3 AUTO — (set port 3 speed to AUTO, 1000FULL, 100FULL)
se po mo 3 from 1,2 — (copies traffic from ports 1 and 2 to port 3)
se po mo 4 from 1,2 — (copies traffic from ports 1 and 2 to port 4)
se po mo 3 from 1 — (copies traffic from port 1 to port 3)
se po mo 3 off — (stops copying packets to port 3)
exit — (terminates the telnet connection and saves the current configuration)
A number of examples of other configuration options is provided in the SS-1204BT-BT-S FASTstart.pdf and SS-1204_1208_1210 SINGLEstream Manual.pdf documents located at:
The full set of available commands includes:
ADD USER AD US — Add User
DELETE USER DE US — Delete User
EDIT USER ED US — Change Username/Password
EXIT EX — Exit Shell
HELP HE / ? — Show Help
POWER STATUS PO ST — Show Power Supply Status
SET DATE SE DA — Set System Date
SET GATEWAY SE GA — Set Default Gateway
SET IP SE IP — Set IP [subnet mask] [default gateway]
SET LINK PROTECT SE LP — Set Link Protect parameters
SET PING SE PI — Set Ping ON or OFF
SET PORT GROUP SE PO GR — Set Group Name
SET PORT MONITOR SE PO MO — Set Monitor Configuration
SET PORT NAME SE PO NA — Set Port Name (max 32 bytes)
SET PORT SPEED SE PO SP — Set Port Speed
SET PORT VTAG SE PO VT — Set Port VTAG Stripping
SET PORT VTAP SE PO VP — Set Port VTAP
SET PROMPT SE PR — Set Command Prompt (max 32 bytes)
SET SNMPv3 SE V3 — Set SNMP ON or OFF
SET SNMPv3 SUPERUSER SE V3 SU — Set SNMP SuperUser Parameters
SET SSH SE SH — Set SSH ON or OFF
SET SSH KEY SE SH KY — Set SSH Key
SET SUBNET SE SU — Set Subnet Mask nnn.nnn.nnn.nnn
SET TCP PORT SE TC PO — Set TCP Port
SET TELNET SE TE — Set Telnet ON or OFF
SET TIME SE TI — Set System Time
SET UPGRADE SE UP Set — Upgrade ON or OFF
SHOW SH — Show All Current Configurable Values
SHOW GROUPS SH GR — Show Group Configuration
SHOW MANAGEMENT SH MA — Show Management Configuration
SHOW PORT CONFIG SH PO CO — Show Port Configuration
SHOW PORT ROUTING SH PO RO — Display Routing Summary
SHOW PRODUCT SH PR — Show Product Name and Serial Number
SHOW TIME SH TI — Show System Date and Time
SHOW USERS SH US — Display Users
SU SU — Enter Superuser Mode
SU SET PASSWORD SU SE PA — Set Superuser Password
Wireshark and the “fin” logo are registered trademarks of the Wireshark Foundation