- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- howto sniff switched LAN using wireshark ?
Operating System - Linux
1824484
Members
11628
Online
109671
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2007 09:18 AM
тАО09-14-2007 09:18 AM
hi
I have wireshark installed on linux and my LAN is very slowly.
howto sniff switched LAN using wireshark
or similar program for problems and errors ?
or where can i find a good tutorial ?
what should i pay attention to sniff switched network ?
could you tell pls something more about your experience ?
kind regards
chris
I have wireshark installed on linux and my LAN is very slowly.
howto sniff switched LAN using wireshark
or similar program for problems and errors ?
or where can i find a good tutorial ?
what should i pay attention to sniff switched network ?
could you tell pls something more about your experience ?
kind regards
chris
Solved! Go to Solution.
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2007 10:42 AM
тАО09-14-2007 10:42 AM
Solution
There is a book called "Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems". You may buy this book, or you may try to find it via other means if you don't care about intellectual property rights.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2007 09:56 AM
тАО09-15-2007 09:56 AM
Re: howto sniff switched LAN using wireshark ?
If your switch is a "managed switch", its features can help a lot in network troubleshooting. A managed switch often has an IP address of its own, and you can use telnet, ssh or maybe even a Web browser to connect to it.
Usually a managed switch has traffic and error counters for each port. Examining these can offer you big clues about where the problem might be. For example, you can reset all the counters to zero, wait a while and then examine them again: large (and quickly increasing) numbers in the traffic counter of a particular port may indicate an (over)loaded server. If you see that the error counter of a port is increasing rapidly, that port may have a bad cable or a bad NIC connected to it.
A managed switch might help you in the sniffing operation too: a common feature is the ability to duplicate all traffic going in and out of a particular port to another port, which you can use for your sniffer.
Modern managed switches can often send SNMP trap messages or maybe even emails if they detect excessive amounts of errors. I recommend that you take the time to read the instruction manual of your switch.
MK
Usually a managed switch has traffic and error counters for each port. Examining these can offer you big clues about where the problem might be. For example, you can reset all the counters to zero, wait a while and then examine them again: large (and quickly increasing) numbers in the traffic counter of a particular port may indicate an (over)loaded server. If you see that the error counter of a port is increasing rapidly, that port may have a bad cable or a bad NIC connected to it.
A managed switch might help you in the sniffing operation too: a common feature is the ability to duplicate all traffic going in and out of a particular port to another port, which you can use for your sniffer.
Modern managed switches can often send SNMP trap messages or maybe even emails if they detect excessive amounts of errors. I recommend that you take the time to read the instruction manual of your switch.
MK
MK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2007 10:29 AM
тАО09-15-2007 10:29 AM
Re: howto sniff switched LAN using wireshark ?
Another "very probable" cause of network slowdown are peer to peer clients, viruses, download accelerators, that consumes all network bandwidth.
If you see a lot of traffic generated from some (or all) machines, destined to non standard ports or unknown hosts, then you fall down into one of these categories.
Check nessus and its plugins, for example:
http://www.nessus.org/plugins/index.php?view=all&family=Peer-To-Peer+File+Sharing
You can also use nmap to check what ports are open in remote computers.
Good luck.
If you see a lot of traffic generated from some (or all) machines, destined to non standard ports or unknown hosts, then you fall down into one of these categories.
Check nessus and its plugins, for example:
http://www.nessus.org/plugins/index.php?view=all&family=Peer-To-Peer+File+Sharing
You can also use nmap to check what ports are open in remote computers.
Good luck.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-16-2007 04:03 AM
тАО09-16-2007 04:03 AM
Re: howto sniff switched LAN using wireshark ?
Hi Chris,
You don't mention what brand switches you're using, however most managed switches will have an option to mirror all data to a specific port as mentioned previously.
On Cisco switches this feature is known as SPAN (Switched Port ANalyzer). A good introduction can be found here:
http://www.cisco.com/warp/public/473/41.html
Hope this helps,
Regards,
Rob
You don't mention what brand switches you're using, however most managed switches will have an option to mirror all data to a specific port as mentioned previously.
On Cisco switches this feature is known as SPAN (Switched Port ANalyzer). A good introduction can be found here:
http://www.cisco.com/warp/public/473/41.html
Hope this helps,
Regards,
Rob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-17-2007 05:26 AM
тАО09-17-2007 05:26 AM
Re: howto sniff switched LAN using wireshark ?
Definitely check stats on the switch and the hosts before you start trying to packet sniff. How you get stats will be platform specific. Since you posted this in a "Linux" forum I'll suggest "ethtool -S " to get link-level statistics for your systems' interfaces.
Only if those are "clean" (no errors or _late_ collisions) would I suggest trying to packet sniff, at which point you will definitely want to have a "managed" switch so you can enable the port mirroring as mentioned previously. Otherwise, you _can_ sniff traffic but your sniffer will only see the traffic which would have already gone to that port.
There _may_ be other, slightly nefarious ways to make the switch behave more like a hub, but perhaps best to try the other stuff first. The ways to make a switch behave like a hub would only make the network run worse for a time.
Only if those are "clean" (no errors or _late_ collisions) would I suggest trying to packet sniff, at which point you will definitely want to have a "managed" switch so you can enable the port mirroring as mentioned previously. Otherwise, you _can_ sniff traffic but your sniffer will only see the traffic which would have already gone to that port.
There _may_ be other, slightly nefarious ways to make the switch behave more like a hub, but perhaps best to try the other stuff first. The ways to make a switch behave like a hub would only make the network run worse for a time.
there is no rest for the wicked yet the virtuous have no pillows
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP