Wireshark-users: [Wireshark-users] Wireshark & Port Mirroring Confusion
From: "Mario Valetti" <mariov652@xxxxxxxxx>
Date: Tue, 20 Jan 2009 17:49:56 +0100
Hi,

I was under the impression that port mirroring is supposed to assist in troubleshooting / diagnosis of traffic on one or more ports. The traffic is also supposed to be an exact image of that seen on the 'monitored' port.

I have some weird results that simply don't make sense...

Standard PC to PC ping using hrping gives me a roundtrip time of ~0.100ms (or 100us).
Running wireshark on the 'source' PC, monitoring the same interface as the ping, gives me roundtrips of ~95us. A slight difference, but nothing to write home about (perhaps due the way that wireshark or hrping measures times).

This is where it gets strange...
Using a second nic on the 'source' PC, and port mirroring the source interface on a switch to this secondary nic, shows a round trip time of ~50us - A big difference.

Maybe the secondary nic is reporting this incorrectly? I then used a separate PC to monitor the pings on the switch at the mirrored port, and this gives me the same ~50us result.


Has anyone got any ideas why I would get different results (even better results) from the port mirror than the original ports / interface?


I don't see how wireshark could be a cause for these different times, but perhaps someone with more experience will be able to explain...
(I've posted this to CISCO too, so hopefully I'll get an answer there too.


Thanks.