On Wed, Nov 05, 2003 at 09:59:17PM -0800, p p wrote:
> I am running Ethereal 0.9.15 on two computers sitting on the same LAN.
> The difference is that one PC is installed with windows XP, the other is
> Linux. The summary data reported from the two computers was different.
> Say, one gives me TCP 80, while the other gives me TCP 158. Other
> protocol statistics seem the same.
>
> Have you ever met this phenomenon? Are they supposed to give me the
> same result, right?
No. They're supposed to give results based on the packets that were
captured, and there's no guarantee that, at least on a switched LAN, two
machines on the same LAN will see the same traffic - in fact, there's no
guarantee that a packet capture program running on a machine on a
switched LAN will see any traffic other than;
traffic sent by the machine;
traffic sent to the MAC address of the machine's interface on
that LAN;
broadcast traffic;
multicast traffic.
In particular, there's no guarantee that it'll see unicast traffic sent
by another machine on the LAN to another machine on the LAN - and TCP
traffic is unicast traffic.
Similar problems can occur with a dual-speed hub.
See
http://www.ethereal.com/faq.html#q5.1