Wireshark · Ethereal-users: Re: [Ethereal-users] Sniffing in a switched network - Taps or Spans

Ethereal-users: Re: [Ethereal-users] Sniffing in a switched network - Taps or Spans

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>

Date: Fri, 30 Apr 2004 22:08:57 +1000

From: "Dolbow, Bill"
Sent: Friday, April 30, 2004 9:39 PM
Subject: [Ethereal-users] Sniffing in a switched network - Taps or Spans

>
> I am hoping I can get some suggestions on how best to tap/span our
network.
...
> 1. If I tap my aggregation points (firewalls, Content switches, etc)
> can ethereal on RedHat ES3.0 able to combine the transmit and receive
feeds
> into one capture?

Not with Ethereal   but the tool  MERGECAP.EXE in the ethereal distribution
will do this for you.
Take two captures and merge them afterwards.
Or on Linux,  capture on the ALL device.  (keep in mind, capturing on ALL on
linux will NOT set
the ifaces in promisc mode, you have to do that yourself using ifconfig)

MERGECAP will as its name suggests, merge two or more captures into one
single capture.
If you capture on multiple hosts for alter merging,
make sure you have a host with good timestamp resolution (==not windows)
and that all hosts are set to exactly the same time (NTP might not be good
enough here)

Follow-Ups:
- Re: [Ethereal-users] Sniffing in a switched network - Taps or Spans
  - From: Guy Harris

References:
- [Ethereal-users] Sniffing in a switched network - Taps or Spans
  - From: Dolbow, Bill

Prev by Date: [Ethereal-users] Sniffing in a switched network - Taps or Spans
Next by Date: RE: [Ethereal-users] HotSIP sip-messages crasching ethereal
Previous by thread: [Ethereal-users] Sniffing in a switched network - Taps or Spans
Next by thread: Re: [Ethereal-users] Sniffing in a switched network - Taps or Spans
Index(es):
- Date
- Thread