Guy Harris wrote:
> > > Your sniffing machine (computer A) is on the ethernet segment.
> > > Your other computer (computer B) is on the ethernet segment.
> >
> > Yes. Both on the same 100 base Tx; Incidentally, I've noticed that
> > computer A (lyta, always running linux) can serve up ftp to computer B (fang)
> > at a sustained rate of 3500 KB/sec under linux, but when fang has to be a
> > win32 box, the transfer rate (both with Netscape 4.61 BTW) is only 1800
> > KB/sec.
>
> So "lyta", not "fang", is the machine running Ethereal, K-Arp-Ski, and
> "tcpdump" in this situation (as it's computer A, and Laurent used
> "computer A" to refer to the sniffing machine)?
I've done it both ways with the same results. Mostly I just see ARP packets an
the occasional apple talk, IPX, etc.
>
>
> > > Who is computer B talking to? A third computer on the ethernet segment?
> > > Or perhaps with a computer on the Internet, off of your LAN.
> >
> > Three cases: fang talks to lyta (http or ftp or ping etc.), the sniffer on
> > lyta works.
> > fang talks to another computer on same subnet as itself and lyta, sniffer
> > detects nothing
> > fang talks to something outside our firewall (ie http://slashdot.org),
> > sniffer detects nothing
> >
> > This holds for ethereal, karpski, and tcpdump. When fang was running win32,
> > the generic NAI lan analyzer seemed to be detecting the traffic (reporting
> > fang talking to other things with a certain volume), but I was not able to
> > inspect individual packets (because of my inexperience with the software or
> > it's inability to function that way).
>
> So, in that situation, was the NAI analyzer program running on "fang",
> or on some third machine?
fang;
>
>
> If it was running on "fang", then the inability of "lyta" to see all
> traffic going to and from "fang", and the ability of "fang" to see all
> traffic going to and from "fang", isn't entirely surprising.
>
> If, say, "fang", "lyta", and the other machines were plugged into a
> switch (rather than, say, a "dumb" hub), it might be that the traffic
> between "fang" and the third machine (which could be the Cisco router
> used to route traffic between the subnet "lyta" and "fang" are on and
> the Internet) might not get onto the switch port "lyta" is on. As
> "lyta" isn't involved in a conversation between "fang" and another
> machine on that subnet, it may or may not be able to see the packets in
> that conversation, as if the packets are going through a switch, the
> switch might not send copies of them to "lyta"s port.
I'm thinking this must be it; In that case, the solution is probably to have lyta
act as a router vi IP masq for fang;
Thanks for the help
>
> > > Also, could you explain in more detail how all the computers
> > > are connected on the network. Are all on the same ethernet hub?
> >
> > As far as I know, they are on the same hub.
>
> Hub, or switch?
It's either a switch or a router. Something running IOS 11.2 according to nmap.
PS -- I'd like to request an ethereal feature; I'd like to be able to click on the
column lables (no. time source destination, protocol, info), and have the list
sorted according to that field.
