Wireshark-users: [Wireshark-users] Wireshark & Port Mirroring Confusion
Hi,
I was under the impression that port mirroring is supposed to
assist in troubleshooting / diagnosis of traffic on one or more ports.
The traffic is also supposed to be an exact image of that seen on the 'monitored' port.
I have some weird results that simply don't make sense...
Standard PC to PC ping using hrping gives me a roundtrip time of ~0.100ms (or 100us).
Running wireshark on the 'source' PC, monitoring the same interface
as the ping, gives me roundtrips of ~95us. A slight difference, but
nothing to write home about (perhaps due the way that wireshark or
hrping measures times).
This is where it gets strange...
Using a second nic on the 'source' PC, and port mirroring the
source interface on a switch to this secondary nic, shows a
round trip time of ~50us - A big difference.
Maybe the secondary nic is reporting this incorrectly? I then used
a separate PC to monitor the pings on the switch at the mirrored port, and this gives me the
same ~50us result.
Has anyone got any ideas why I would get different results (even
better results) from the port mirror than the original ports /
interface?
I don't see how wireshark could be a cause for these different times, but perhaps someone with more experience will be able to explain...
(I've posted this to CISCO too, so hopefully I'll get an answer there too.
Thanks.