On Fri, Apr 9, 2010 at 6:40 PM, Oldcommguy - Tim
<oldcommguy@xxxxxxxxxxxxx> wrote:
If
you are serious about network monitoring and analysis – Get a TAP…..
Otherwise
every packet you see has been modified in time, all bad packets have been
dropped as well as short or long ones, so baseline studies and timing studies
are not available with a switch.
One
pays thousands if not millions for a network…even in your home –
use a TAP or it is just not real !
Saw
2 0r 3 on Ebay…just do not waste the money on a switch unless you
understand what it is doing to the data/packets.
Yeah, it's a good point, but even with a tap you still have the NIC and the kernel in play before the packets hit your Wireshark capture.
For instance, at one point we had a problem with a device emitting Ethernet flow control packets. We suspected this was what was happening but we couldn't see them in Wireshark. Of course, this was because the NIC was acting on the flow control instructions on it's own and they weren't even passed to the kernel and thus weren't visible in the capture.
We had to use a "professional" network monitor to show that the issue was, in fact, a device sending PAUSE frames.
Incidentally, if anyone knows a NIC that wouldn't behave this way, I'd be interested. ;-)
--
-jp
When the age of the Vikings came to a close, they must have sensed it.
Probably, they gathered together one evening, slapped each other on the
back
and said, "Hey, good job."
deepthoughtsbyjackhandey.com