Wireshark · Ethereal-users: [Ethereal-users] [Q-OT] Size of a trace and hub functions

Ethereal-users: [Ethereal-users] [Q-OT] Size of a trace and hub functions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 9 Feb 2001 07:38:11 -0600

	I have been happily using ethereal on a Linux box for a couple 
of months now, and I have just recently noticed a couple of issues 
which I would need an idea on how to approach them:
	
	1. I needed to "catch" a file transfer error (FTP process) 
resulting in incomplete file transfer (as you know, file transfer are 
reported as "success" 226 regardless of whether the file made it 
completely or not!) . Unfortunately this doesn't happen on a regular 
basis, so I had no other choice than getting a large disk capable 
Linux box, and run and save each day the ethereal trace. After 
having re-visited a couple of traces, I was very surprised to see that 
some of them didn't contain the whole day worth of data but only a 
couple of hours, , while other days it worked just fine! So - my 
question is: is there any problem in ethereal which would keep it 
from recording continuously, other than disk space or memory 
(which I have plentiful of both)? Any idea on how to figure out why 
ethereal doesn't "keep" all the data?

	2.Not really ethereal -> tcpdump (perhaps libcap) involved here: 
having to leave in a switched only environment, I had to place 
another machine I was supposed to "watch" on a Netgear 10/100 
hub, so that I place my ethereal box on another hub port. When 
running either ethereal (or tcpdump) I could "see" only ARP and 
UDP packets, and the only TCP packets showing up would be if I 
would initiate TCP communication from the ethereal box to the one 
I want to capture - all other TCP traffic from/to this "captured" box 
doesn't show up. Thinking I have a problem with port speed, 
autonegotiation, the fact that the watched box had only 10 Mbps 
card, my laptop with Linux had 10/100 Mbps "autonegotiatable" 
only (those PCMCIA cards do not come with capability of fixing the 
speed any more), I changed the Netgear 10/100 with a Cabletron 
10 Mbps only hub - and guess what? I started "seeing" all the 
traffic!!! Anybody having an explanation for this (as I didn't think that 
port speed would have anything to do with hub (in regards to all 
ports seeing each one's traffic) functionality, right?)

TIA,
Stef

P.S. I apologize for the lengthy message ... couldn't say it in fewer 
words :-(

Follow-Ups:
- Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
  - From: Guy Harris
- Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
  - From: Guy Harris

Prev by Date: [Ethereal-users] Still Problems with libsnmp
Next by Date: Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
Previous by thread: RE: [Ethereal-users] Still Problems with libsnmp
Next by thread: Re: [Ethereal-users] [Q-OT] Size of a trace and hub functions
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$