<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Clayton Fast wrote:
<blockquote cite="mid:EAC30D6F5DB0432F9973A45B0359A9CB@pcsc.com"
type="cite">
<meta content="text/html; charset=us-ascii" http-equiv="Content-Type">
<meta name="GENERATOR" content="MSHTML 8.00.7600.16625">
<div><span class="235373821-02092010"><font face="Arial" size="2">I
need to analyze network traffic from a specific public IP address to a
production Centos 5 system but I'm concerned about running wireshark on
that system. I've tried running it on a seperate PC on the network but
it only reports its own traffic. </font></span></div>
<div><span class="235373821-02092010"></span> </div>
<div><span class="235373821-02092010"><font face="Arial" size="2">I'm
looking to see if any of you have had any major problems running
wireshark on Centos 5.</font></span></div>
<div><span class="235373821-02092010"></span></div>
</blockquote>
Wireshark has worked OK for me on CentOS. What kind of issues would
you be concerned about? Capturing packets on the affected system
directly is the best approach. You could use tcpdump to capture the
packets and then copy the dump file to another system for analysis.
That is fairly low risk for a production system and might even be the
best approach.<br>
<br>
You could get wireshark on your separate PC to show all of the packets
if you connect it to the same ethernet HUB (not switch) as your CentOS
5 system. Beware that putting a hub inline could significantly slow
down traffic to/from your production CentOS 5 system.<br>
<br>
Since hubs are not readily available these days anyway, you could
configure a managed switch to have a "monitor port" in which a copy of
all packets transmitted by the switch on any port is also transmitted
on the monitor port. That way you can connect your wireshark PC to
report all traffic on the switch.<br>
<br>
There are some other clever hacks you could try but those are the ones
most likely to work.<br>
<br>
Hope this helps,<br>
Jim<br>
<pre class="moz-signature" cols="72">--
Jim Ockers, P.Eng. (<a class="moz-txt-link-abbreviated" href="mailto:ockers@ockers.net">ockers@ockers.net</a>)
Contact info: <a class="moz-txt-link-freetext" href="http://www.ockers.ca/pason.html">http://www.ockers.ca/pason.html</a>
</pre>
</body>
</html>