Simple capture files in tutes etc contain frames both to and from multiple systems. How is that possible, given that a network card being used by Wireshark can only capture from the Rx pair of a cable? asked 06 Aug '13, 03:18  RLH |
2 Answers:
Receiving data doesn't mean that it is only unidirectional when it comes to the layers above the physical medium. Usually, captures are done on SPAN ports or TAPs, which means that communication of other systems is channeled into the downstream towards the Wireshark PC (or any capture device). In that downstream you'll have packets that go back and forth between Ethernet/IP/... pairs of these systems. It's sort of what happens when someone at the post office takes a look at an envelope to see where to direct it to: the guy inspecting the address information isn't the receiver or sender, but still has the letter in it's hand. In Wiresharks case it is receiving copies of frames/packets and stores/analyzes them. It doesn't mean it needs to be the sender or receiver. Also, if you capture with Wireshark on a local PC you'll get both directions, because it listens in on RX and TX. answered 06 Aug '13, 03:26  Jasper ♦♦ |
The capture could have been made at the server so it would see client request from multiple machines and the server responses, or could have been made via a mirror port on a switch, or on multiple network interfaces, or (rarely these days) on a hub where all traffic is available on all ports. The capture could also be synthesised by concatenating multiple captures. answered 06 Aug '13, 03:29  grahamb ♦ Thanks grahamb. "a mirror port on a switch". More reading for me; I (vaguely) thought that a mirror port was just a duplication of the original port... I don't quite get the significance... "or on multiple network interfaces". Is the data from multiple interfaces captured into individual files? Do they have the same time-zero reference time? Can they be (or are they automatically) merged into a single file? Thanks. (06 Aug '13, 04:57) RLH A mirror port is another name for a SPAN port as mentioned in the answer from @Jasper. Most switches that offer mirroring or spanning permit multiple switch ports to be mirrored or spanned. Recent versions of Wireshark can capture on multiple interfaces at the same time into a single capture file. Unfortunately the timestamps of packets depend on the actual capturing mechanism in use and I believe this may vary for different NIC's and drivers and of course OS's. (06 Aug '13, 05:34) grahamb ♦ |
Thanks Jasper. I have more questions: 1. >Usually, captures are done on SPAN ports or TAPs I'll have to read up on these.
Does this mean that what is presented in the capture file as a transmission from the local PC is actually what it is expected will have been transmitted i.e. captured from buffers just before being passed to the lowest hardware component? Being picky, I know, but I'm trying to understand the nitty-gritty of capture.
Or do I still not understand...
yes. A SPAN port aggregates RX/TX of the communication towards one TX output port that Wireshark listens on (as RX device). TAPs can do that same ("Link Aggregation TAP") or provide both directions on two separate TX outputs, which of course requires Wireshark to listen on two RX NICs at the same time.
yes, what Wireshark picks up is what is supposed to be sent. It may in fact be modified in the actual NIC before it is sent, which explains why you'll often see CRC errors and oversized/undersized frames when doing a capture like this - because the final frame construction is done on the NIC after Wireshark already captured the incomplete frame on it's way to the NIC.
By the way, I can recommend this WIKI page: http://wiki.wireshark.org/CaptureSetup/Ethernet
Thank you very much Jasper. Now I have a starting place...