Wireshark-users: Re: [Wireshark-users] Looking for a portable sniffing-friendly hub/switch

From: Jake Peavy <djstunks@xxxxxxxxx>
Date: Fri, 9 Apr 2010 18:53:33 -0600
On Fri, Apr 9, 2010 at 6:40 PM, Oldcommguy - Tim <oldcommguy@xxxxxxxxxxxxx> wrote:

If you are serious about network monitoring and analysis – Get a TAP…..

 

Otherwise every packet you see has been modified in time, all bad packets have been dropped as well as short or long ones, so baseline studies and timing studies are not available with a switch.

 

One pays thousands if not millions for a network…even in your home – use a TAP or it is just not real !

 

Saw 2 0r 3 on Ebay…just do not waste the money on a switch unless you understand what it is doing to the data/packets.


Yeah, it's a good point, but even with a tap you still have the NIC and the kernel in play before the packets hit your Wireshark capture.

For instance, at one point we had a problem with a device emitting Ethernet flow control packets.  We suspected this was what was happening but we couldn't see them in Wireshark.  Of course, this was because the NIC was acting on the flow control instructions on it's own and they weren't even passed to the kernel and thus weren't visible in the capture.

We had to use a "professional" network monitor to show that the issue was, in fact, a device sending PAUSE frames.

Incidentally, if anyone knows a NIC that wouldn't behave this way, I'd be interested.  ;-)
 
--
-jp

When the age of the Vikings came to a close, they must have sensed it. Probably, they gathered together one evening, slapped each other on the back and said, "Hey, good job."

deepthoughtsbyjackhandey.com