On Tue, Oct 09, 2001 at 05:02:24PM +0200, Mipam wrote:
> Hi,
> 
> Normally its easy to look up traffic over the wire by tcpdump, snort,
> etc. However, one day we had severe performance problems and it looked
> like something was flooding. However, no abnormal network trouble could
> be found be looking in between etc. Finally we figured that some switch
> was behaving weird and was sending broken frames, not even
> a normal 48 bits dst addr in the ethernet layer could be seen.
> So basically a *load of 0's and 1's were send over the wire and flooding
> us, until we pulled the plug from the switch and plugged in another.
> My p[roblem is that i cant see such broken traffic.
> Is there any way to look at frames, even if they're broken, so that
> we can see that there is traffic?

Well, usually it's the ethernet adapter which detects this, and
don't even pass the frame to the host. 
If it's really broken a ethernet adapter won't even read it.
What you need here is a real network analyser.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--