If you muck with drivers you can pull stats on runts and such off the
chipsets. Some of it may already be grabbable out of some drivers with
the appropriate ioctl depending on the driver/os.
The last custom ethernet chipset implementation that I'm aware of in a
sniffer was the Mythical (but expensive ;) HP4980(4972?) ethernet analyzer
made by their Colorado Springs group that has now moved to Agilent. It is
reputed to be the only device ever capable of *really* handling 100%
utilization on the original Ethernet.
After that unit the cost of doing special chipsets became prohibitive
so all the analyzer guys started using off the shelf chipsets like
everyone else. In the early days a few had some board level tricks with
some custom features in chipsets in partnership with manufacturers,
but as the tide of new technologies steamrollered all the older interfaces
I think even these practices fell into disfavor. Some HW sniffer people put a
packet filtering preprocessor in front of them to offload the CPU (that's the
only thing that differentiates a box like the HP internet Advisor from an
ordinary laptop with some fancy I/fs), but in theory, to a clever driver
writer all the signals that are available in any hardware tool should also be
at your disposal for software tools. The same holds for the NAI HW Sniffers...
they are esentially nothing more than SW, a PC and an FEP/interface with the
latter hardware allowing themselves to be called HW sniffers. But as laptops
get more powerful the need for those expensive dsp's and i960s
in front of the main cpu becomes smaller and smaller in typical
100mbps environments.
We'll repeat this cycle for gigabit.....
Some of the other commercial software analyzers grabbed stats
on these runt packets and such as I recall... but I can;t remember
which ones.
cheers,
--dr
On Wed, 11 Oct 2000, Visser, Martin (SNO) wrote:
> I think you will find that no software tool will allow you to find runts (or
> errored frames, giants, collisions, etc). The NIC/driver will discard these
> before any OS get's a look. You really would need a dedicated hardware tool
> like Sniffer, that actually display these type of packets by "best effort".
>
> BTW, a switch will no forward received runts, so if the port on the hub is
> recording them, then it is somewhere on that physical link. Try changing
> cables or ports to see if it goes away. (Also fixing port speeds and the
> like can help)
--
Dragos Ruiu <dr@xxxxxxxxxx> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net