Hubs vs Switches – Using WireShark to sniff network packets

Gotcha #1 : Use a hub not a switch

Why: Switches don’t copy all messages to all ports. They try and optimize traffic so when they learn which port a device is connected to they send all messages intended for that device to that port and stop copying to all ports. (The jargon they use for this function is ‘learning mode’)
How do you know it’s a hub: Just because it calls itself a hub doesn’t mean it is one.

  • If it says full-duplex in the product description it’s probably not a hub.
  • A switch that allows you to turn off the learning mode is effectively a hub.
  • A switch with a monitored port copies all messages to the monitored port and thus you can use that port as if it were a hub.
  • If it says ‘switch’ and you cant turn off learning mode and it doesn’t have a monitor port then it is not a hub.
  • A router is never a hub.



Gotcha #2 : Mixing 10 and 100 mbits/sec can cause problems.

Not all hubs copy 10mbit messages to 100mbit ports and vice versa.Use a 10mbit/sec hub if you are on a mixed network – almost all other faster devices are speed sensing and will downgrade themselves to 10mbits/sec and thus you will see all the packets. This is not true of some building automation engines where the speed of the port is configured.
You can work around this problem by connecting higher speed devices to a self sending switch/hub and then connect that switch/hub to the 10mbit hub.

Recommended Hubs

  • 10Mbit/sec Networks – DX-EHB4 – 4 Port 10 Mbps HUB
  • Netgear – DS104 Dual Speed HUB
  • 10Mbit/sec Networks – D-LINK DE-805TP