Sniffer Pro on Windows will catch damaged packets if you use an NAI-enhanced
driver. Since we use laptops, that driver is for Xircom cards only. Our
network is primarily switched, so we generally don't have a lot of issues
with damaged packets, or in the rare case we do, RMON generally gives us a
heads-up. In other words, that feature doesn't give us a lot in real-world
terms. It was more germane on shared networks in the past, but as we shift
to switch-per-port, it has less (note that I didn't say, "no") relevance.
I sometimes use the Sniffer graphics to end arguments from users ("It CAN'T
be my machine!" "Well, you see this graph shows you using 98% of your
available bandwidth when you download your 'cats' newsgroup." "Ohh...."). I
feel that they do indeed convey genuine information, especially if properly
filtered.
I agree that this is a major tribute to Ethereal to have the competition so
close. I have both Sniffer and Ethereal on my machine and will use either
one, depending on circumstances (example: TCPDUMP file, sometimes I prefer
the way Ethereal presents the information, etc.).
I also have found the Ethereal code to be much more responsive to new (and
sometimes esoteric) decodes and bug fixes. I truly appreciate the hard work
that goes into such updates. Thanks to all who contribute.
Richard Berry
LAN Engineer-Principal
"Si hoc legere scis numium eruditionis habes."
>From: Jeff Parker <jparker@xxxxxxxxxxxx>
>To: "'Guy Harris'" <guy@xxxxxxxxxx>,
> Jeff Parker <jparker@xxxxxxxxxxxx>
>Cc: "'ethereal-users@xxxxxxxxxxxx'" <ethereal-users@xxxxxxxxxxxx>
>Subject: RE: [Ethereal-users] Sniffer Pro vs. Ethereal
>Date: Mon, 24 Sep 2001 18:34:53 -0400
>
>Agreed. It is something that a box dedicated to the task can
>do that freeware on standard-issue boxes cannot.
>
>It may not have sounded like it, but it was really quite
>a compliment to Ethereal that there aren't more reasons
>to shell out serious change for a sniffer or the like.
>A compliment to the people that write the software and
>the decodes, allowing Ethereal to produce new decodes
>at a rate that companies have trouble matching.
- jeff parker
> > I've been able to capture frames in the Sniffer that were
> > too damaged to be passed up by any self-respecting
> > ethernet card to Ethereal.
>
> The classic DOS Sniffer probably had its own drivers for the Ethernet
> adapter, so, if the card could be told to supply even runts, packets
> with bad CRCs, etc. to the host, they could make it do so.
>
> The Windows Sniffers might have their own drivers as well, or there
> might be a way to tell an NDIS driver to do so (I don't have NDIS
> documentation handy, so I don't know if that's the case).
>
> Ethereal depends on the OS's drivers and capture mechanism (or, on
> Windows, on the OS's drivers and the WinPcap capture mechanism), so
> there are limits on what it can do.
>