ProfiShark 1G – a 1 Gigabit network tap from ProfiTap

I’ve been fortunate enough to be allowed the purchase of a couple of network taps.
I was in the market for something portable to pick up traffic with my laptop wherever I would be. The relationship between price and functionality lead me to choose the ProfiShark 1G from ProfiTap.
I have had a few questions regarding settings (I’ll try to clear up those in this post) and their head of R&D was more than willing to answer my questions – appreciated Laurent! :-)

A few words about the ProfiShark 1G tap:

  • Fairly inexpensive (mind you no hardware like this is cheap!)
  • Uses USB3.0 to capture traffic – lets you have full use of your computer’s NIC while capturing.
  • Hardware timestamps accurate to 8ns
  • Hardware aggregating – meaning it will give you the full bandwidth of connected devices. Max 1Gbps in each direction at the same time will give you 2Gbps of data – no problem for the USB3.0 interface (has a maximum bandwidth of 5Gbps)
  • No need for external power – it is provided through USB3.0
    (you can however buy an external power supply if you need one)
  • Works 100% in pass-through mode when power fails.
    When power fails the link will go down for a period from 30ms up to 2 seconds (the latter if the link needs to be renegotiated)
  • Small size/light weight: 69mmX124mmX 24mm (2.72″X4.88″X0.94″)
  • Automatically sets speed at 10/100/1G according to connected devices’s capabilities

 

Why use a TAP as opposed to a regular NIC?

  • A TAP enables capture off a NIC as it is “booting” – that means you get absolutely everything that goes to/from that network interface card from the very start. That would no be possible capturing off a local NIC because the operating system will need to see the NIC as active before you can capture traffic off it with Wireshark.
  • A TAP will capture faulty frames (bad CRC frames are never picked up when you capture from the NIC)
  • TCP Offloading means the NIC chops up a large packet and sends it across the wire in severalt frames of appropriate size.
    Capturing traffic off the local NIC will wrongly show you this one large packet as one huge frame (a huge frame could be a Jumbo Frame, but is more likely the result of a NIC using TCP Offloading).
    Using a tap you will see the actual pieces/frames that cross the wire after the NIC chopped up the original packet.

Gotchas:

  • Note that the 8ns timestamp can throw you off – frames are stamped as they arrive on the wire and a large frame going in one direction will spend an equal amount of time passing through the TAP as several small packets going in the reverse direction.
    It can sometimes be mind boggling to make sense of timestamps and the order frames are listed in Wireshark :-)

 

Let’s have a look at the tap itself:

Figure 1: ProfiShark 1G tap
ProfiShark_tap
I have instructions taped onto the body for quick reference.

To the left are the cables from the client/server (green/gray) that the tap will listen to and to the right is the USB cable going to my monitoring computer (which has ProfiShark Manager installed).

The difference between Live and Direct Capture modes:
Live Capture mode:
Packets are captured the same as with any other NIC, and they are passed from the tap to the capture driver of the OS before capturing software (I use Wireshark) reads it.
Note: You can choose wether or not to use 8ns hardware timestamping. Refer to the part below about timestamping to understand how this affects the way frame timestamps are displayed in Wireshark.
Direct Capture mode:
The tap dumps packets straight to disk.
There is no need for third-party packet capture software.
This mode facilitates capture of small size frames at wire speed.
Note: Packets are always stamped with the 8ns hardware timestamp of the tap.
Refer to the part below about timestamping to understand how this affects the way frame timestamps are displayed in Wireshark.

Installation of the tap is a 2-stage thing
First install the neccecary software to make the tap show up as a network adapter/NIC in Wireshark.
To do this you run the Profishark_1.3.26.exe file found on the accompanying USB stick (or download from www.profishark.com).

Secondly you need to install the ProfiShark dissector to be able to read 8ns hardware timestamps in Live capture mode.
To install the ProfiTap dissector, you must copy the correct version of the profishark.dll to ‘C:/Program Files/Wireshark/plugins/[wireshark_version]/’
32-bit Windows -> x86 version dll
64-bit Windows -> x64 version dll

8ns hardware timestamps
Without this dissector (or if it is disabled) in Wireshark you will have timestamps flying all over the place when looking at traces taken with hardware timestamping in Live capture mode!
It is extremely important that you enable/disable the dissector as you work with traces that have/have not hardware timestamps!
Use the following table to see when to enable and when to disable the ProfiShark 1G dissector in Wireshark:
ProfiShark-dissector-matrix.
Again; failure to enable/disable the dissector will result in erroneous timestamps on frames in Wireshark!
You find the dissector in Wireshark (v.2.2.2) under:
Edit – Preferences – Protocols – ProfiShark

A word about the “Keep CRC32” setting in ProfiShark Manager:
The tap sees the 4 byte frame check sequence (FCS) or also called Cyclic Redundancy Check (CRC) that makes up the tail end of the frame as it reaches the tap from the wire. When you capture from a local NIC or use Live Capture mode with ProfiShark 1G, this FCS/CRC will already have been stripped off by the NIC/TAP – meaning all frames seen in captures originally were 4 bytes longer when they were traversing the wire.
When you use ProfiShark 1G in Direct Capture mode and leave the “Keep CRC32” unchecked, all frames will be passed on without the FCS/CRC. The trace files will contain both the wire size and captured size of each frame.
There will always be a 4 byte gap between these two sizes, and Wireshark will report this as [Packet size limited during capture] for some protocols.
When you use the TAP for Live capture, it seems the setting has no influence – the TAP reports captured fram size and seems to have no knowledge of the wire frame size.
Conslusion:
I always leave “Keep CRC32” checked to avoid frame size mismatches between wire size and captured size.

 

Summary:
A very nice size tap that does what it is supposed to.
The documentation leaves a lot to be desired, but hopefully this post will get you up to speed a lot faster than what I was :-)

Do get in touch if you have questions or comments!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *