Question about Ethernet preample with sniffing software


I read the following on wikipedia:

Preamble and start frame delimiter are not displayed by packet sniffing software because these bits are stripped away at OSI Layer 1 by the network interface controller before being passed on to the OSI layer 2 which is where packet sniffers collect their data. There are layer-2 sniffers which can capture and display the preamble and start frame delimiter but they are expensive and mainly used to detect physical related problems.

It says layer-2 sniffers can capture and display the preamble. This is contrast to my intuitive thinking about it. Higher OSI layer is far away from physical layer while Ethernet preample is the basic physical layer data. Can you confirm the above statement and explain it to me?


Reply to
Robert Willy
Loading thread data ...

"Normal" sniffers run on -say- layer 3 and sniff one layer below. This is because they are executed on the CPU and capture the data that is sent to the CPU by the network interface. The network interface normally digests the packet before sending it to the CPU.

A layer-2 sniffer would presumably run on the network interface itself and would thus be capable of seeing the network packet before it gets digested. Because of that, it would be able to see, and sniff, the preamble as well as other stuff, like the CRC checksum (which some interfaces remove during digesting).

Reply to
Aleksandar Kuktin

The fact that you see the packet at all with a sniffer means the preamble and start data are there. You don't "need" to see it; you're reusing a bog standard NIC to parse it for you and it's always the same.

The expensive sniffers are for the poor guys who have to debug the NIC and other boring things.

Les Cargill
Reply to
Les Cargill

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.