Showing results for 
Search instead for 
Did you mean: 

What is an inline sniffer and how do I use it?


I have an Oracle Solaris server on which a network interface is reporting input errors.  A case was opened with Oracle and they indicated that the nature of the noted input errors indicate the NIC dropped a packet that was either too large or too small probably based on NIC MTU size.  Their recommendation to trace the source of these packets were switch port mirroring or an inline packet sniffer.  We tried switch port mirroring and connected a laptop to the mirrored port and ran wireshark to capture packets but nothing turned up as unusal.  The theory is that the laptop's NIC would also drop those packets and hence would not make it to the software level where wireshark operates.

As for a packet sniffer.  They were unable to provide me more detailed information on what his is and how it works.  The basic idea I was able to obtain from a networking colleague is that it is a physical device with an in port, an out port and some sort if monitoring port. This would bridge the connection from the switch to the server.

My question is can anyone recommend a model / make of an inline sniffer and how to use it to identify the source of the bad packets going to the server?  Keeping in mind the theory that any sort of capturing by a PC may drop packets at NIC level, can this inline sniffer actually capture packets itself? Any help will be greatly appreciated.

4 Replies 4


They are talking about a network TAP like the one sold by netoptics but you still need a computer to capture the packets.

Can you provide  a show interface from the switch.

Hi Dominic, I am part of the team that deals with the server, the network team did some checks from their end and they were unable to come up with any anomalies.  I would want to elimate capturing using a PC, keeping in mind the packets maybe dropped by the PC's NIC (based on MTU I assume).  I was referred to the One Tocuh Network Assitant from other searches.  It seems it may be able to perform like a TAP, but also capture packets which I assume will be ideal.  I have not read up on the exact specifics as yet.

If packet are too small, the switch should have "runts" error. If packet are too big, it should have "giants" error. If there is a missmatch between your MTU and the switch MTU, you should try to enable jumbo frame on the host you are using to capture trafic with wireshark. If nothing turn up, I would put my money on "something wrong with the server".

The network team did send us a show interface for the port on the switch which was connected to the servers interface and there were 0 runts and 0 giants.  I'm not really much a network person so I had to rely on their expertise.  Oracle indicates the problem is exterior due to the nature of the errors.  The odd thing however is that we have 6 of these servers that have exhibited these symtoms.  For the first one the motherboard was replaced as it was an onboard NIC, after the replacement the errors started showing up on a different interface on the motherboard.  The server was rebooted and that cleared and stopped the errors.

For the other 5 the errors started showing up after a reboot was performed.  For another 2 a reboot fixed the errors. For 1 bringing down the interface and bringing it back up solved the issue. and We still have 2 showing the errors. We have made no attempts at a reboot or unconfiguring and re-configuring the interface just yet.

The peculiar thing is they are all the same type of server hardware, however between all 6, they are spread accross 3 different physical sites. So at this point we are quite puzzled.  I just wish I could have gotten hold of an inline sniffer to test Oracle's theory.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers