利用 Wireshark 处理网络问题
原文 http://www.novell.com/connectionmagazine/2007/q3/tech_talk_9.html?sourceid=NCM_q3_07_tt9
WireShark 截图
Switches only forward four types of traffic:
- Broadcasts
- Multicasts
- Traffic to and from the connected system’s MAC address
- Traffic to an unknown MAC address
作者的监听解决方案:
half-duplex lines:a simple four-port hub
full-duplex lines:a small network tap
Tapping into Full Duplex Networks
Sometimes referred to as “walkie-talkie” style communications, the simple half-duplex environment supports traffic moving in one direction at a time, transmit or receive, but never both simultaneously. Alternatively, fullduplex networks support two communications channels for simultaneous transmit and receive. A simple hub doesn’t support full-duplex communications, but a full-duplex tap does.
Full duplex taps are placed inline—typically acting as passive devices. Taps are simple to set up. Let’s say, for example, that you want to tap into a full-duplex link that uses CAT5e cable between two network routers. One CAT5e cable runs from the first router to port A. A second CAT5e cable runs from port B to the second router. Monitor ports connect to the analyzer allowing you to see a copy of all traffic.
There are two flavors of full-duplex taps—aggregating and non-aggregating taps. Aggregating taps combine the data from the transmit and receive channels into a single monitor port allowing you to connect a single analyzer to listen to both traffic channels. Non-aggregating taps as shown in Figure, do not combine the transmit and receive streams. You must connect the monitor ports to two separate analyzers or an analyzer with two NICs installed.
Attention!!!
If you use non-aggregating taps and two separate analyzers, you should time sync the two analyzers using NTP (Network Time Protocol) to ensure data in your streams can be merged into proper order.