Re: Looking for a portable sniffing-friendly hub/switch

[Jake Peavy <djstunks () gmail com>]

On Fri, Apr 9, 2010 at 6:40 PM, Oldcommguy - Tim
<oldcommguy () bellsouth net>wrote:

>  If you are serious about network monitoring and analysis – Get a TAP…..
>
>
>
> Otherwise every packet you see has been modified in time, all bad packets
> have been dropped as well as short or long ones, so baseline studies and
> timing studies are not available with a switch.
>
>
>
> One pays thousands if not millions for a network…even in your home – use a
> TAP or it is just not real !
>
>
>
> Saw 2 0r 3 on Ebay…just do not waste the money on a switch unless you
> understand what it is doing to the data/packets.

Yeah, it's a good point, but even with a tap you still have the NIC and the
kernel in play before the packets hit your Wireshark capture.

For instance, at one point we had a problem with a device emitting Ethernet
flow control packets.  We suspected this was what was happening but we
couldn't see them in Wireshark.  Of course, this was because the NIC was
acting on the flow control instructions on it's own and they weren't even
passed to the kernel and thus weren't visible in the capture.

We had to use a "professional" network monitor to show that the issue was,
in fact, a device sending PAUSE frames.

Incidentally, if anyone knows a NIC that wouldn't behave this way, I'd be
interested.  ;-)

-- 
-jp

When the age of the Vikings came to a close, they must have sensed it.
Probably, they gathered together one evening, slapped each other on the back
and said, "Hey, good job."

deepthoughtsbyjackhandey.com

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe