Wireshark · Ethereal-users: RE: [Ethereal-users] Capturing net traffic from an alternate host

Ethereal-users: RE: [Ethereal-users] Capturing net traffic from an alternate host

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Urwin <RUrwin@xxxxxxxxxxxxxxx>

Date: Fri, 11 Jan 2002 11:36:16 -0000

> ...I am using a Linksys FastEthernet DSL Router/Switch...
> ...There doesn't seem to be a way to mirror data on one
> switch port to the other...

The best way to do this is to get yourself a non-switching hub and connect
all three machines to it. 10M hubs are dirty cheap, if you really need 100M
then it gets a bit more expensive, but not too much so.

> ...is there a way to run the Ethereal capture on the second machine
> from the first machine?...

If the second machine was running Unix/Linux then running the capture on it
and viewing the results on the first would be a no-brainer. Unfortunately
Win98 doesn't have the same facilities. There are a few comercial programs
out threre that let you take control of one machine from another, but this
doesn't answer your problem.

> ...is there a way to run the capture
> remotely, is there a way to run the data capture as a "background" process
> on the second machine?...

You could probably run a tethereal capture on startup, just put a shortcut
to it into your start-up group on the programs menu, then edit the shortcut
to add the relevant command line parameters. But this might result in huge
capture files, and you would have to have access to the second machine to
stop the capture.

Ethereal 0.9.0 has a ring buffer feature that allows continuous captures
into a set of files. This might get around the size problem. You can copy
capture files while a capture is ongoing (at least with ethereal and WinNT
you can) and ethereal can open the copy of the file, (probably complaining
about the last packet being truncated, but that's to be expected.)

So one solution would be to share the folder on the second machine that
holds the capture files and copy one of them, by hand, to the first machine
and open it with Ethereal. That is messy but it should work. It might even
be possible to open the active capture file across the network, but it also
might not. You would still have to check the file times to determine which
one to open, and you don't get real-time packet display, just a snap-shot at
the moment you copied/opened the file.

This is, of course, a messy hack rather than standard usage. Don't be
suprised if ethereal/tethereal crashes when you try it and don't expect such
crashes to be viewed as bugs by the authors.

Good luck.

-- 
Richard Urwin, Software Design Engineer
Schenck Test Automation
Braemar Court, 1311b Melton Road, Syston, UK.
rurwin@xxxxxxxxxxxxxxx

Prev by Date: [Ethereal-users] Capturing net traffic from an alternate host
Next by Date: RE: [Ethereal-users] Capturing net traffic from an alternate host
Previous by thread: [Ethereal-users] Capturing net traffic from an alternate host
Next by thread: RE: [Ethereal-users] Capturing net traffic from an alternate host
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$