Frequently Asked Questions

 < Day Day Up > 



The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1. 

How do I know if someone is already working on a protocol dissector for a protocol that isn’t supported yet by Ethereal?

send an e-mail to the ethereal developers mailing list. mostly likely if someone is writing a dissector they are also part of this list.

2. 

Will port spanning increase the load on my switch?

yes, but how much depends on several factors, such as how many ports you are mirroring, and how much traffic is going through those ports. newer switches can handle port spanning efficiently and the increased load will not be noticeable.

3. 

I started using Ethereal on my network just to have a look and I couldn’t believe how much traffic was out there! It was scrolling so fast I couldn’t even make sense of it, what should I do?

this is common, especially on larger networks, or networks with large collisions domains. the best thing to do is to start capturing chunks of data and saving them to a file. then you can use various display filters to sort out the data and make sense of what is going on.

4. 

Do I need to use Editcap to translate capture files that are from different products to a common format before merging them with Mergecap?

no, mergecap can automatically translate the files as it merges them. it will do this for all of the compatible products that ethereal supports. it can even automatically uncompress gzip files if you compiled ethereal with gzip support.

5. 

When I am on call for network problems I follow a basic troubleshooting methodology and keep detailed notes, however my coworkers fail to do the same when they are on call. What should I do?

get management s support on the necessity and benefits of documenting the troubleshooting process. you can even suggest that you start a day after e-mail report that will thoroughly document the problem and the resolution. this e-mail report can be used to update the upper level management and general users in the organization. your coworkers would have more reason to comply with this policy when their names will be attached to something so public!

6. 

I am using a hub to analyze network traffic, however I am still not seeing all of the traffic.

some hubs have an auto-sensing or dual speed feature that will sense your network interface card speed and set the hub port to the appropriate speed, 10mbps, or 100mbps. some of these types of hubs will only broadcast 10mbps traffic to other 10mbps ports, and 100mbps traffic to other 100mbps ports. so if you have mixed speed traffic on your hub you may be missing some if it. linksys and netgear have been known to have this issue, check with your hub vendor to see if this is documented for your product.

7. 

Can I perform port spanning on switches other than Cisco?

yes, port spanning is a cisco term, but other products perform the same thing and call it port mirroring. these products include hp and nortel switches, and some newer products are even coming with dedicated management ports built in.

Answers

1. 

Send an e-mail to the Ethereal developers mailing list. Mostly likely if someone is writing a dissector they are also part of this list.

2. 

Yes, but how much depends on several factors, such as how many ports you are mirroring, and how much traffic is going through those ports. Newer switches can handle port spanning efficiently and the increased load will not be noticeable.

3. 

This is common, especially on larger networks, or networks with large collisions domains. The best thing to do is to start capturing chunks of data and saving them to a file. Then you can use various display filters to sort out the data and make sense of what is going on.

4. 

No, Mergecap can automatically translate the files as it merges them. It will do this for all of the compatible products that Ethereal supports. It can even automatically uncompress gzip files if you compiled Ethereal with gzip support.

5. 

Get management’s support on the necessity and benefits of documenting the troubleshooting process. You can even suggest that you start a “day after” e-mail report that will thoroughly document the problem and the resolution. This e-mail report can be used to update the upper level management and general users in the organization. Your coworkers would have more reason to comply with this policy when their names will be attached to something so public!

6. 

Some hubs have an “auto-sensing” or “dual speed” feature that will sense your network interface card speed and set the hub port to the appropriate speed, 10Mbps, or 100Mbps. Some of these types of hubs will only broadcast 10Mbps traffic to other 10Mbps ports, and 100Mbps traffic to other 100Mbps ports. So if you have mixed speed traffic on your hub you may be missing some if it. Linksys and Netgear have been known to have this issue, check with your hub vendor to see if this is documented for your product.

7. 

Yes, port spanning is a Cisco term, but other products perform the same thing and call it port mirroring. These products include HP and Nortel switches, and some newer products are even coming with dedicated management ports built in.



 < Day Day Up > 



Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net