[CALUG] ethernet network analyser
Bryan J Smith
b.j.smith at ieee.org
Thu Nov 3 09:36:44 EDT 2011
Ethereal uses libpcap. So anything that captures with libpcap operates
the same. You don't have to use Ethereal on the same system as the
capture. And yes, layer-2 frames are caught with the higher data, as
long as you are sniffing everything on the interface (and not using
another option that does not).
However, ifyou need to capture all Ethernet traffic on your network, then you'll need to plug the interface into a "monitor" or other port in your switch fabric which receives all port traffic. Otherwise you will only see broadcasts, or multicasts/unicasts where your interface is a party to the communication.
In your case of software, I don't see how any network capture is going to help you. Unless your storage is iSCSI (SCSI over IP), it's not going to go out the network interface.
And a logic analyzer is going to flood you with information. You're not going to be able to decode the whole stack (let alone you'll need to tap several areas).
What you're most likely seeking is System Tap (stap) [1], a capability developed by Red Hat and actively supported and contributed to by a number of IHVs and ISVs. Although some try to associate it as the Linux equivalent of Solaris DTrace, it's different. It's more flexible in some ways, and more dangerous in others (and that's an over-simplification).
[1] http://sourceware.org/systemtap/
----- Original Message -----
From: Walt Smith <waltechmail at yahoo.com>
Sent: Wednesday, November 2, 2011 6:41 PM
Q:
A demo of a network session should show the protocols in
action at the ethernet level; i.e. some screen showing
request --> ack -> grant payloads included embedded TCP/IP
type of data.
What should be used for this? Does ethereal software get down to the
grit level?
Background;
I believe that several software packages will sniff an ethernet card
and be able to symbolically display REQ, ACK for protocols at
the TCP/IP Level. If so confirmation by a reader would be good.
I don't know ( and maybe I could dig into the docs if I was
relatively sure I was on the right track ) if the software has
capability to get to the actual ethernet level to show the
protocols there-- IS hardware needed such as a logic analyser
(I've used several years ago ) or network analyser ?
Case in point: ( so I hope I'm clear ).
It is the case that software would format an IDE hard
disk. Hi-level. It could check for errors, sectors etc.
BUT -- there was a lower level -- a low level format -- that
was generally considered to be "factory" which is where the REAL
IDE ( or a lower set ) of instructions took place- so you
(may have) needed to know what was going on for some reason.
(Obviously, tech's don't need that level anymore outside of
the flooded Thai factory - you may have for forensics or
recovery etc... )
So, if one wants to observe in symbol format the real ethernet
bittys, what would one use ? ( is a fast PC able to get to the lowest
levels with a NIC CHIP today, after all, 100 MBPS isnt' slow.
Perhaps it could be done on a 10 MBPS line without real
hardware )?
TECH speak: IF the NIC is a shift register and the
bitty's are flying in, it seems like a parallel read of the
shift register real data is possible-- assuming the nic chip is
designed that way.
thx,
Walt.........
Celebrating over 14,000 emails in my Yahoo Inbox !
_______________________________________________
CALUG mailing list
CALUG at unknownlamer.org
http://lists.unknownlamer.org/listinfo/calug
More information about the CALUG
mailing list