On Wed, 2 Mar 2005 12:59:51 -0500, Claude Morin <klodefactor at gmail dot com> wrote:
> At this point it's probably best to do something like:
> 
>         m0n0wall-----hub**-----Internet-----Cisco831
>                             |
>                         sniffer
>                            PC
> 
> and watch, packet by packet, to confirm what's missing, and from which
> end.  For sniffing, I use Ethereal pretty much exclusively these days;
> it's supported on many platforms, including MS Windows.
> 

Agreed, this is the next step I'd take as well. 




> 
> ** For the less experienced people following this discussion: it's
> important to use a true hub in the pictured configuration, not a
> dual-speed hub unless you're sure all three devices are communicating
> at the same speed, and definitely not a switch.  Otherwise, the
> sniffer PC won't see the traffic between the m0n0wall and the
> Internet.
> 

For those that might be wondering why, a 10/100 hub is a 10 Mb hub and
a 100 Mb hub connected by an internal switch between the two.  You
can't put two speeds on a true hub.  So to ensure you're seeing all
the traffic, you either need to make sure it's a true hub, or the
devices are all the same speed.  If you have a managed switch, it
should have port monitoring or SPAN capabilities, which will also
suffice when configured appropriately.

-Chris