Hi List!
Currently, Ethereal can only capture from one interface at once.
To be able to capture on a full duplex Ethernet without interfering the
net, you have to think about how to do this.
As some of my colleques are doing network troubleshooting, they have a
problem here.
The usual network troubleshooter will connect a notebook to the existing
ethernet "somehow".
It's preferrable to change the existing network at minmal as possible,
as it will modify the network itself,
and the network professionals at that place will not be pleased, if you
install several new hardware components to
their network, so:
a) if you use a hub, this will switch back the connection to halfduplex
b) if you add a managable switch (with a monitoring port), this will
change the network configuration
and these devices are sometimes not easy to configure themself (so you
add another point of failure)
c) add a network tap
To c): a network tap is plugged between a switch and the device under
test and
will be (almost) passive to the measured network. It will hand out both
directions of the full duplex connection with two
ethernet plugs. So if you want to capture now, you must do this from two
ethernet interface at once.
BTW: we might need a HowTo, which describes the possible ways for
connection Ethereal to an existing network,
as this isn't obvious for some (network novice) user.
Now Ethereal comes in the discussion:
a) you cannot capture from multiple interfaces at once :-(((
b) you can capture using multiple instances of Ethereal and merge them
together using mergecap, but thats very uncomfortable :-(
c) as far as I know, on unix (linux only?) you can use an "all"
interface, which will capture from all interface at once.
But as I'm (and "my users") are usually using the Win32 platform, this
doesn't help me very much :-(
d) use a completely different tool for capturing and doing only the
analyzing in Ethereal, but thats not very comfortable, too :-(
As it's been one strong criteria against Ethereal and for some other
analyzer, I'm thinking about how this could be changed.
I currently see the following solutions (most interesting first):
a) enable Ethereal to capture from multiple interfaces at once and do
the merging "on the fly"
b) enable Winpcap to support the "all" interface, like in the unix versions
c) integrate a seperate capture tool into the GUI, which is capable of
doing multiple interface capturing
I understand this might be a lot of work, but as this is a limitation
and becoming more and more a criterion for not using Ethereal at all,
I think this effort should be spend.
Before doing anything on the code, I would like to hear some comments
about this.
Regards, ULFL