Thank you!
Suppose I am monitoring on the interface which connected with the uplink port of the switch, can I have all of the traffic statistic upon the local network behind the switch?
Best Regards
George
Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Wed, Nov 05, 2003 at 09:59:17PM -0800, p p wrote:
> I am running Ethereal 0.9.15 on two computers sitting on the same LAN.
> The difference is that one PC is installed with windows XP, the other is
> Linux. The summary data reported from the two computers was different.
> Say, one gives me TCP 80, while the other gives me TCP 158. Other
> protocol statistics seem the same.
>
> Have you ever met this phenomenon? Are they supposed to give me the
> same result, right?
No. They're supposed to give results based on the packets that were
captured, and there's no guarantee that, at least on a switched LAN, two
machines on the same LAN will see the same traffic - in fact, there's no
guarantee that a packet capture program running on a machine on a
switched LAN will see any traffic other than;
traffic sent by the
machine;
traffic sent to the MAC address of the machine's interface on
that LAN;
broadcast traffic;
multicast traffic.
In particular, there's no guarantee that it'll see unicast traffic sent
by another machine on the LAN to another machine on the LAN - and TCP
traffic is unicast traffic.
Similar problems can occur with a dual-speed hub.
See
http://www.ethereal.com/faq.html#q5.1
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
