![]() ![]() Sniffers have proprietary file format that can identify the port used to capture the packets. When you merge files, there isn't any way to tell what hardware was used to capture the packet because the PCAP packet header doesn't have a field to identify the capturing hardware. There is an article in NetworkDataPedia by Tony Fortunato with a detail explanation.Ĭapturing with one or two network cards, the traffic is displayed the same. This exceeds the port 5, 1G port speed, and the switch will drop some of the packets.Ĭapturing with two network cards will work if the network cards can capture at port speed. ![]() The maximum bandwidth needed is 2G because there is 1G ingress and 1G egress of traffic. Basically, the monitoring port interface has to large enough to support the traffic from the mirrored-port(s).Īn example is mirroring port 1 (1G) to port 5 (1G). ![]() The monitoring port is the port where the engineer wants to send a copy of traffic to. A filter can also be applied to specifically narrow down the capture to a single port, for example if you wanted only port 8080 traffic: tcpdump -i any port 8080 -w /tmp/capture. Copying traffic for both directions to a single port can be a problem when the mirrored traffic is greater than the monitoring port interface speed. To stop the capture at any time, simply issue a control-break (ctrl-c or c) on the shell command line where the tcpdump has been executed from. Switch can be configured to mirror ingress, egress, or both directions. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |