Re: newbie question about snoop
From: Lon Stowell (lon.stowell@attbi.com)
Date: 04/14/03
- Next message: Sam_Benner: "Re: Hostname"
- Previous message: Rev. Don Kool: "Re: tar question"
- In reply to: Thomas Xu: "newbie question about snoop"
- Next in thread: Darren Dunham: "Re: newbie question about snoop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Lon Stowell <lon.stowell@attbi.com> Date: Mon, 14 Apr 2003 01:54:49 GMT
Thomas Xu wrote:
> Hello,
> The question is:
> If server A, B, C are on the same broadcast domain (i.e. same subnet),
> are you able to run snoop on server A, and capture packets between B
> and C?
>
Not necessarily. The only packets you will be able to capture
with A are those which physically reach A.
In a switched ethernet, this means you either port-span the
switch or use an inline capture pod if you want all traffic.
Otherwise you only see MAC layer broadcast or unsteered
multicasts. It really makes no difference whatever what is
happening at the higher layers, if the bottom doesn't pass
the packets, they cannot be captured by any non-psychic
device.
On the other hand, in a ring technology such as fddi, you should
be able to do this if they are on the same physical ring.
> I don't think that can happen - my understanding is that snoop can
> only capture packets between remote and local server (where you run
> the command). While tcpdump has the ability to capture any broadcast
> packet, it can only show the packet header. Is my understanding
> correct?
You are somewhat correct, but for the wrong reason. It is
what happens at the MAC layer that counts. This is why snoop
doesn't work on a virtual circuit technology all that well.
- Next message: Sam_Benner: "Re: Hostname"
- Previous message: Rev. Don Kool: "Re: tar question"
- In reply to: Thomas Xu: "newbie question about snoop"
- Next in thread: Darren Dunham: "Re: newbie question about snoop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
