Ethereal-users: Re: RE: [Ethereal-users] Capture speed

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Joe Acquisto <joea@xxxxxxxxxxxx>
Date: Wed, 09 Jul 2003 12:03:37 -0400
Different animals, no?  

Not sure what you mean by "probes".  "Probe", in this context could 
mean the entire "device" that is intended to capture packets 
[for display or analysis].  That would include the 
NIC/PC/sniffer_software/(etc?) being used.  Are there dedicated devices for 
packet capture/analysis, other than the engineering devices that may be 
known as protocol/communication analyzers?

Referring to your orginal post, I meant the NIC/PC (/sniffer_program) would
be the limiting factor in that setup, assuming that the action of mirroring a 
switch port did not itself cause dropped packets.   I've been told that some
switches cannot mirror 100% of a "busy" port, their "internals" not being able
to "handle the load".  I guess it depends on the design.

AFAIK, the only way to avoid that potential problem is to (1) use a single speed 
"hub", of correct speed, plugging into it the PC/Monitor, the switch port to be 
monitored and the cable orginally in the switched port.  That way all the
traffic will be repeated on all ports.  (2) use a "tap".

The "tap" should have the advantage of not allowing any packets from the NIC/PC
to make its way back to the network.  This is advantageous if sniffing in a danger 
zone where worms, scanners, etc, might exist.  

joea.




7/9/03 5:17:14 AM, "Michel Vanden Bossche" <m.vdb@xxxxxxx> wrote:

>Thanks Joea,
>
>However there are probes that capture at 100 Mbps and others at 2 or 32 Gbps
>(much more expensive).
>Are NIC & PCs  doing better then probes?
>
>Kind Regards
>Michel
>
>-----Original Message-----
>From: Joe Acquisto [mailto:joea@xxxxxxxxxxxx] 
>Sent: dimanche 6 juillet 2003 18:12
>To: Michel Vanden Bossche
>Subject: Re: [Ethereal-users] Capture speed
>
>
>7/6/03 10:10:05 AM, "Michel Vanden Bossche" <m.vdb@xxxxxxx> wrote:
>
>>
>>
>>  From:   "Michel Vanden Bossche" <m.vdb@xxxxxxx>
>>
>>  To:     <ethereal-users@xxxxxxxxxxxx>
>>  Date:   Sun, 6 Jul 2003 16:10:05 +0200
>>  Subject:[Ethereal-users] Capture speed
>>
>>
>>
>>  Hi,
>>   
>>  If we capture an enterprise traffic on a switch by mirroring all 
>> traffic on  the port where we capture.
>>   
>>  What is the maximum speed we can capture without losing packets?
>>   
>>  Does it depends on the NIC type?
>>   
>>  Does it depends on the PC processor?
>
>Same as a hub.  Assuming the switch can mirror all the traffic.  Meaning if
>the switch itself does not drop 
>packets.  
>
>The PC, OS and NIC are not the limiting or determining factors here.
>
>joea/
>
>
>
>