Re: Sniffing a Switched Network
From: centipede (centiped@netvision.net.il)Date: 09/07/01
- Previous message: Robert Woods: "RE: Proxy Ports: Why?"
- In reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: Luis Figueiredo: "Re: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B98E450.9040200@netvision.net.il> Date: Fri, 07 Sep 2001 18:14:24 +0300 From: centipede <centiped@netvision.net.il> To: michael.white@lmscae.com Subject: Re: Sniffing a Switched Network
Michael,
Tcpdump will show you every single packet that your host can see.
Naturally, on a switched networks your host can see only his own traffic and
broadcasts, that is why you cannot see anything else your own and the B
flagged
(Broadcast) traffic.
Now it is true that on many switched networks you *could* sniff
other host's
packets, too, but it won't happen by itself. There are several ways to
make it happen,
and no, mostly you don't need to configure anything on the switches
themselves.
The most popular way probably is by making your host fake arp
replies thus identifying
itself as other hosts. your gateway might be a good choice.
I should warn you that without permission this activity is illegal,
and that it's quite
easy to be detected, AND you can end up messing the whole network easily
if you
don't know what you're doing.
Go to http://monkey.org/~dugsonf/dsniff . you can read some more
there, and
download the popular dsniff, which is a collection of tools for network
auditing and
penetration testing. amongst others, you can find there the 'arpspoof'
file that does exactly
what I've described to you. get it to work properly and tcpdump will
have a busy day.
I'd like to end with some of the writer's words about this tool :
"I wrote these tools with honest intentions - to audit my own network,
and to demonstrate
the insecurity of most network application protocols. Please do not
abuse this software."
HTH
centipede.
Michael R. White wrote:
>I seem to be getting conflicting information about sniffing network traffic
>on a switched network. I've been told by some that I should have no
>difficulties sniffing all traffic on my switched network, but others say
>unless you configure the monitoring on the switches I won't be able to sniff
>all traffic. Can someone clarify, and possibly provide some resources?
>
>I'm also interested in knowing what the best sniffers and best
>implementations are. MS, Linux, Unix...doesn't matter, but interested in at
>least one from each if possible. I've tried tcpdump on Redhat, but it
>doesn't seem to provide all traffic information. I put a Win2K box and the
>Redhat box on a hub with the Redhat box sniffing all traffic to and from
>Win2k box. Upon pinging from and to the box, I get no results from tcpdump.
>I am seeing some traffic like this line below:
>12:51:51.999744 eth0 B 192.168.100.13.netbios-dgm >
>192.168.100.255.netbios-dgm: NBT UDP (138)
>but not much more than that.
>
>Any help is greatly appreciated.
>
>TIA,
>
>Michael
>
>
>
- Previous message: Robert Woods: "RE: Proxy Ports: Why?"
- In reply to: Michael R. White: "Sniffing a Switched Network"
- Next in thread: Luis Figueiredo: "Re: Sniffing a Switched Network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
