> > Your sniffing machine (computer A) is on the ethernet segment.
> > Your other computer (computer B) is on the ethernet segment.
>
> Yes. Both on the same 100 base Tx; Incidentally, I've noticed that
> computer A (lyta, always running linux) can serve up ftp to computer B (fang)
> at a sustained rate of 3500 KB/sec under linux, but when fang has to be a
> win32 box, the transfer rate (both with Netscape 4.61 BTW) is only 1800
> KB/sec.
So "lyta", not "fang", is the machine running Ethereal, K-Arp-Ski, and
"tcpdump" in this situation (as it's computer A, and Laurent used
"computer A" to refer to the sniffing machine)?
> > Who is computer B talking to? A third computer on the ethernet segment?
> > Or perhaps with a computer on the Internet, off of your LAN.
>
> Three cases: fang talks to lyta (http or ftp or ping etc.), the sniffer on
> lyta works.
> fang talks to another computer on same subnet as itself and lyta, sniffer
> detects nothing
> fang talks to something outside our firewall (ie http://slashdot.org),
> sniffer detects nothing
>
> This holds for ethereal, karpski, and tcpdump. When fang was running win32,
> the generic NAI lan analyzer seemed to be detecting the traffic (reporting
> fang talking to other things with a certain volume), but I was not able to
> inspect individual packets (because of my inexperience with the software or
> it's inability to function that way).
So, in that situation, was the NAI analyzer program running on "fang",
or on some third machine?
If it was running on "fang", then the inability of "lyta" to see all
traffic going to and from "fang", and the ability of "fang" to see all
traffic going to and from "fang", isn't entirely surprising.
If, say, "fang", "lyta", and the other machines were plugged into a
switch (rather than, say, a "dumb" hub), it might be that the traffic
between "fang" and the third machine (which could be the Cisco router
used to route traffic between the subnet "lyta" and "fang" are on and
the Internet) might not get onto the switch port "lyta" is on. As
"lyta" isn't involved in a conversation between "fang" and another
machine on that subnet, it may or may not be able to see the packets in
that conversation, as if the packets are going through a switch, the
switch might not send copies of them to "lyta"s port.
However, that wouldn't be a problem if the sniffer were running on
"fang" itself, as long as the low-level networking driver code in
"fang"s OS sent copies of all packets sent by or received by "fang"s NIC
up to the sniffer program - the switch obviously has to send all packets
going to "fang" to the switch port "fang" is plugged into, and the
driver would probably have to send copies of packets sent from "fang" to
sniffer programs running on "fang" in order for sniffing to work at all
(as many, perhaps most, Ethernet interfaces appear unable to receive
traffic sent out of them).
What happens if you run Ethereal, K-Arp-Ski, or "tcpdump" on "fang",
rather than "lyta", when "fang" is talking to a machine other than
"lyta" and is running a non-Win32 OS (I infer from "when 'fang' has to
be a Win32 box" that it sometimes is running a different OS, and am
guessing that means it's some UNIX-flavored OS whose OS is supported by
"libpcap")?
> > Also, could you explain in more detail how all the computers
> > are connected on the network. Are all on the same ethernet hub?
>
> As far as I know, they are on the same hub.
Hub, or switch?
