Garrett D'Amore wrote: > James Carlson wrote: >> Andrew Gallatin writes: >> >>> Peter Memishian writes: >>> > >>> > > If you receive a packet addressed to MAC address "B" in promisc mode >>> > > on an interface using MAC address "A", with IP listening, will there >>> > > be a copy? >>> > > >>> > > I assumed there would be, but I don't understand the code well enough >>> > > to know for sure. My concern was that if there is a copy, it seems >>> > > pointless, since the mis-addressed packet should not make it to IP. >>> > >>> > AFAIK IP will get a copy in that case (assuming the packet is IPv4 or >>> > IPv6). But how common is such a situation in modern switched networks? >>> >>> Probably fairly unusual, to be sure. But I think there are switches >>> which can be configured to shunt a copy of all traffic to a designated >>> port. >>> > > Many switches support this feature. Its actually incredibly useful for > diagnosis. One runs a sniffer attached to that port, to watch traffic > flowing across other ports. This makes it possible to snoop without > inserting a hub in the middle. I finally got just such a switch, and > since then I've not had to use one of the hubs I've kept around for > debug since.
If a system is a dedicated sniffer and no performance-sensitive traffic is actually destined to the system, then the performance sensitive operation should be sniffing, and not other operations such as TCP connections. On such a Solaris system, it's common practice to unplumb IP interfaces in order to maximize the performance of the sniffing application, since packets won't be copied and passed to IP. I don't think this is the case that Darren was thinking of. Rather, how do we observe packets that are send and received by the local system while minimizing the performance impact on the local applications responsible for those packets? -Seb _______________________________________________ networking-discuss mailing list [email protected]
