博客搬家到 http://xuming.info，此处不再更新，自生自灭！

利用 Wireshark 处理网络问题

原文 http://www.novell.com/connectionmagazine/2007/q3/tech_talk_9.html?sourceid=NCM_q3_07_tt9

Switches only forward four types of traffic:

• Broadcasts
• Multicasts
• Traffic to and from the connected system’s MAC address
• Traffic to an unknown MAC address

作者的监听解决方案：
half-duplex lines：a simple four-port hub
full-duplex lines：a small network tap

Tapping into Full Duplex Networks

Sometimes referred to as “walkie-talkie” style communications, the simple half-duplex environment supports traffic moving in one direction at a time, transmit or receive, but never both simultaneously. Alternatively, fullduplex networks support two communications channels for simultaneous transmit and receive. A simple hub doesn’t support full-duplex communications, but a full-duplex tap does.

Full duplex taps are placed inline—typically acting as passive devices. Taps are simple to set up. Let’s say, for example, that you want to tap into a full-duplex link that uses CAT5e cable between two network routers. One CAT5e cable runs from the first router to port A. A second CAT5e cable runs from port B to the second router. Monitor ports connect to the analyzer allowing you to see a copy of all traffic.

There are two flavors of full-duplex taps—aggregating and non-aggregating taps. Aggregating taps combine the data from the transmit and receive channels into a single monitor port allowing you to connect a single analyzer to listen to both traffic channels. Non-aggregating taps as shown in Figure, do not combine the transmit and receive streams. You must connect the monitor ports to two separate analyzers or an analyzer with two NICs installed.

Attention!!!

If you use non-aggregating taps and two separate analyzers, you should time sync the two analyzers using NTP (Network Time Protocol) to ensure data in your streams can be merged into proper order.