I've been asked to audit a client's network as the
users have been complaining of unusual slowdown. I
don't have control over any of their equipment, so I'm
going to be bringing my laptop with a hub and setting
the hub in between the edge devices and their WAN
link. I'll be using Ethereal to monitor network
activity through the laptop.
I've done some capturing with my own LAN to test the
application and its capabilities, and I have a couple
questions about the Ethereal Protocol Heirarchy
Statistics.
Because the laptop I'll be using is fairly low end,
I'm going to capture using windump and write the
output to a file, like so:
windump -i 2 -w dump.txt
Will that capture all packets going toward that
interface? I read somewhere that windump by default
ignores packets larger than a set limit. Is that true?
When I examined the dumped file from my own LAN in
Ethereal to interpret the data, I noticed the numbers
don't quite match up in Protocol Heirarchy Statistics.
For instance, I captured 129666 TCP packets. Of those,
126620 packets were NetBIOS. 129666 - 126620 = 3,046
packets. Below that, however, I can only account for
about 1,500 TCP packets. That leaves about 1,546
"mystery packets", of which I know almost nothing
about other than that they are TCP in nature.
I know the Ethereal User Manual states that there can
be some odd percentages because of packets being
tunnelled inside of other packets. Is that what is
going on here, or is it just not classifying the
packets because they are "unknown" to Ethereal other
than their being TCP? My fear is that someone might be
using a P2P application at one of these offices and
Ethereal won't classify it for me as such in the
Statistics report. Will I need to go through every
single packet in order to be sure of what's going on?
How far can I trust these statistical reports?
Regards,
Mark Davis, CCNA.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com