Hi, I read the following on wikipedia: Preamble and start frame delimiter are not displayed by packet sniffing software because these bits are stripped away at OSI Layer 1 by the network interface controller before being passed on to the OSI layer 2 which is where packet sniffers collect their data. There are layer-2 sniffers which can capture and display the preamble and start frame delimiter but they are expensive and mainly used to detect physical related problems. It says layer-2 sniffers can capture and display the preamble. This is contrast to my intuitive thinking about it. Higher OSI layer is far away from physical layer while Ethernet preample is the basic physical layer data. Can you confirm the above statement and explain it to me? Thanks,
Question about Ethernet preample with sniffing software
Started by ●August 2, 2014
Reply by ●August 2, 20142014-08-02
On Sat, 02 Aug 2014 10:57:58 -0700, Robert Willy wrote:> Hi, > > I read the following on wikipedia: > > > Preamble and start frame delimiter are not displayed by packet sniffing > software > because these bits are stripped away at OSI Layer 1 by the network > interface controller before being passed on to the OSI layer 2 which is > where packet sniffers collect their data. There are layer-2 sniffers > which can capture and display the preamble and start frame delimiter > but they are expensive and mainly used to detect physical related > problems. > > > It says layer-2 sniffers can capture and display the preamble. This is > contrast to my intuitive thinking about it. Higher OSI layer is far away > from physical layer while Ethernet preample is the basic physical layer > data. Can you confirm the above statement and explain it to me? > > Thanks,"Normal" sniffers run on -say- layer 3 and sniff one layer below. This is because they are executed on the CPU and capture the data that is sent to the CPU by the network interface. The network interface normally digests the packet before sending it to the CPU. A layer-2 sniffer would presumably run on the network interface itself and would thus be capable of seeing the network packet before it gets digested. Because of that, it would be able to see, and sniff, the preamble as well as other stuff, like the CRC checksum (which some interfaces remove during digesting).
Reply by ●August 3, 20142014-08-03
Robert Willy wrote:> Hi, > > I read the following on wikipedia: > > > Preamble and start frame delimiter are not displayed by packet sniffing software > because these bits are stripped away at OSI Layer 1 by the network interface > controller before being passed on to the OSI layer 2 which is where packet > sniffers collect their data. There are layer-2 sniffers which can capture and > display the preamble and start frame delimiter but they are expensive and mainly > used to detect physical related problems. > > > It says layer-2 sniffers can capture and display the preamble. This is contrast to > my intuitive thinking about it. Higher OSI layer is far away from physical layer > while Ethernet preample is the basic physical layer data. Can you confirm the > above statement and explain it to me? > > Thanks, >The fact that you see the packet at all with a sniffer means the preamble and start data are there. You don't "need" to see it; you're reusing a bog standard NIC to parse it for you and it's always the same. The expensive sniffers are for the poor guys who have to debug the NIC and other boring things. -- Les Cargill
