RE: Sniffing a Switched Network
From: John R. Morris (jrmorris@lycurgus.nerdality.com)Date: 09/06/01
- Previous message: Crawford, Randy: "Detecting New Connections to the Network"
- In reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: Joe: "RE: Sniffing a Switched Network"
- Next in thread: owentoby@WellsFargo.COM: "RE: Sniffing a Switched Network"
- Reply: Joe: "RE: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "John R. Morris" <jrmorris@lycurgus.nerdality.com> To: <michael.white@lmscae.com>, "'Security-Basics'" <security-basics@securityfocus.com>, "'MICROSOFT_SECURITY'" <MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM>, "'Focus-Ms'" <focus-ms@securityfocus.com> Subject: RE: Sniffing a Switched Network Date: Thu, 6 Sep 2001 12:28:51 -0700 Message-ID: <000f01c1370a$298a3a90$2101a8c0@pythagoreas>
Well, because of the way switches work, only traffic bound to/from the port
you are on (unless you configure the switch to send all traffic to a port
for monitoring) will show up in your monitor. Basically, a hub is a repeater
which echoes everything to every port, whereas a switch keeps a MAC address
table and only sends to the port with the right address, or that is the
uplink to the next switch... SO you should only see broadcast traffic or
other traffic that is going to/from your port. However, I have seen stuff on
a switched network that shouldn't show up on a ethernet analyzer on a switch
port but somehow does.
YMMV. Try and put the sniffer/analyzer in a logical place to intercept the
traffic you want. A cheap Netgear hub can be your best friend for
dynamically re-configuring the network topology temporarily in order to do
some monitoring, otherwise you can go with CLI options on various managed
switches...
Hope that helps.
- John
-----Original Message-----
From: Michael R. White [mailto:michael.white@lmscae.com]
Sent: Wednesday, September 05, 2001 12:08 PM
To: Security-Basics; MICROSOFT_SECURITY; Focus-Ms
Subject: Sniffing a Switched Network
I seem to be getting conflicting information about sniffing network traffic
on a switched network. I've been told by some that I should have no
difficulties sniffing all traffic on my switched network, but others say
unless you configure the monitoring on the switches I won't be able to sniff
all traffic. Can someone clarify, and possibly provide some resources?
I'm also interested in knowing what the best sniffers and best
implementations are. MS, Linux, Unix...doesn't matter, but interested in at
least one from each if possible. I've tried tcpdump on Redhat, but it
doesn't seem to provide all traffic information. I put a Win2K box and the
Redhat box on a hub with the Redhat box sniffing all traffic to and from
Win2k box. Upon pinging from and to the box, I get no results from tcpdump.
I am seeing some traffic like this line below:
12:51:51.999744 eth0 B 192.168.100.13.netbios-dgm >
192.168.100.255.netbios-dgm: NBT UDP (138)
but not much more than that.
Any help is greatly appreciated.
TIA,
Michael
- Previous message: Crawford, Randy: "Detecting New Connections to the Network"
- In reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: Joe: "RE: Sniffing a Switched Network"
- Next in thread: owentoby@WellsFargo.COM: "RE: Sniffing a Switched Network"
- Reply: Joe: "RE: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
