["Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>]

To do it completely passive you can either configure the switch
to set up two span/mirror ports and tell teh switch to copy the traffic in
each direction
to these two ports.
You then connect one ethernet card on your sniffer to each of the two span
ports of the switch and capture
from both interfaces simultaneously (using the ALL device on linux or
merging two independent capture
post-capture using mergecap)

You can also do completely passive inline sniffing using special cables to
drop the traffic.
This can be made with special cables where you just drop the signals to RX
on your network card and make sure
you dont connect TX of your network card to the link.

You can also do passive sniffing using a hub you connect between one of the
hosts and the switch but in this case
it is a bit more tricky if you REALLY want real passive sniffing.
This would involve plugging your sniffer port to the hub in the usual manner
but you must also, in order to do it really passively, make sure that your
nic never ever sends any data frames out to the hub.
The only way i know of to do this would be to get a nic using a aui/dix
external tranceiver where you cut the tx data lines ebtween the nic and the
tranceiver (you must still keep the link tx alive so that the hub knows
there is someone on the other side of the link and doesnt just disable the
port)
I think the only way realistic to do this is using external tranceivers
since it is the only place where data and link signals are separated so you
can cut data but leave link alive.



If you want to monitor layer-1 you will need special hardware and special
software.
Ethereal, or any other userspace application, can never be made to monitor
layer-1 since it is even hidden from the os itself by the nic.

=>
"
Also, I would like to monitor the link pulses, the Speed / Duplex
autonegotiation, and the packets that were discarded by the NIC at hardware
level due to various errors (runt, jabber, alignment, CRC, etc... Even when
there is no "start frame delimiter" after the preamble). Basically any time
any sort of carrier is detected on the wire I would like it logged with a
time that I can match up with other packets in the ethereal capture. I am
having difficulty locating equipment to do this, and if there is a
relatively cheap way of doing this with linux then I would like to try it.
Also, if there is a       relatively expensive way of doing it then I would
like to know about that too.
"
I think it is pretty impossible to monitor layer-1 using linux.
You need hardware that can provide this info to the device driver.
You need device drivers that can provide it to the os.
you needs an API where the os can provide this to the application.
you need an application that talks this new api.

in short,  special stuff from the hw up.

It can be done but it is a lot of work and requires quite a lot of special
new code to do so.

I think NAI have boxes with special drivers supporting a small set of
standard nics that can do this.
There might be others as well, perhaps tektronix, fluke, sharp etc.
I have not used any of them so i cant recommend any.


----- Original Message -----
From: Crowe, Graham GP
To: 'ethereal-users@xxxxxxxxxxxx'
Sent: Friday, May 16, 2003 5:05 PM
Subject: [Ethereal-users] Full Duplex Passive Sniffing


I am trying to passively sniff a 100Mb full duplex ethernet (without
disturbing the signal in any way, setting up as a bridge is not acceptable
as it dramatically alters the problem I am trying to solve (I have already
tried it)), I had a look through the archives and there are some posts about
this, basically using two ethernet cards and connecting one to sniff traffic
going one way and the other for the other way.

I did not see any explanation on how to do this, I am guessing that if I
wire the TX pair from device A into the RX pair of device B and also into
the RX on the first sniffer card, and then wire the TX from B into RX of A
and RX on the second sniffer card, then I will probably get errors due to
signal reflections and interference where the signal is split.

I have thought of using two hubs to split the two signals, but I am not sure
how that will work with things like the link pulses, and the Speed / Duplex
autonegotiation information as to do this the hub would be receiving data
from a port where there is no TX pair connected, and transmitting where
there is no RX pair connected.

Has anyone actually done this? If so, how?



Also, I would like to monitor the link pulses, the Speed / Duplex
autonegotiation, and the packets that were discarded by the NIC at hardware
level due to various errors (runt, jabber, alignment, CRC, etc... Even when
there is no "start frame delimiter" after the preamble). Basically any time
any sort of carrier is detected on the wire I would like it logged with a
time that I can match up with other packets in the ethereal capture. I am
having difficulty locating equipment to do this, and if there is a
relatively cheap way of doing this with linux then I would like to try it.
Also, if there is a relatively expensive way of doing it then I would like
to know about that too.



Thank you

Graham Crowe
Electrical Engineer
BHP Steel


EOM


NOTICE - This message and any attached files may contain information that is
confidential and/or subject of legal privilege intended only for use by the
intended recipient. If you are not the intended recipient or the person
responsible for delivering the message to the intended recipient, be advised
that you have received this message in error and that any dissemination,
copying or use of this message or attachment is strictly forbidden, as is
the disclosure of the information therein. If you have received this message
in error please notify the sender immediately and delete the message.



_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users