RE: sniffer in promiscuous mode

From: Smith, Chris (csmith@Calence.com)
Date: 02/06/02

Previous message: Red Wolf: "Re: Help with Win2000 Server."
Maybe in reply to: Siddharta Govindaraj: "sniffer in promiscuous mode"
Next in thread: Damon Sisola: "RE: sniffer in promiscuous mode"
Next in thread: brien mac: "Re: sniffer in promiscuous mode"
Reply: Damon Sisola: "RE: sniffer in promiscuous mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Smith, Chris" <csmith@Calence.com>
To: 'Siddharta Govindaraj' <govind@iiitb.ac.in>
Date: Wed, 6 Feb 2002 13:14:28 -0700

Are you in a switched environment? If so you will need to span ports (copy
traffic from one port to another) so the port with the sniffer gets copies
of the frames and can read the traffic. Normally switches utilize
"microsegmentation" - only copying frames to the port owning the destination
MAC address(es). You will see ARP and other broadcast traffic as broadcasts
(mac = FF:FF:FF:FF:FF:FF) are copied to each port.

-----Original Message-----
From: Siddharta Govindaraj [mailto:govind@iiitb.ac.in]
Sent: Tuesday, February 05, 2002 8:04 AM
To: security-basics@securityfocus.com
Subject: sniffer in promiscuous mode

Hi,

I have a funny problem with the ethereal packet sniffer. It correctly
captures all packets entering or leaving my interface, but in promiscuous
mode, it only seems to capture ARP, NETBIOS, IPX, RIP and such protocols,
and never seems to get any UDP or TCP packets ! I have tried other sniffers,
and they all exhibit the same behaviour, so I dont think its a sniffer
problem. Is there something else I have to do to capture TCP packets ? Or
could it be something to do with Wincap ?

Thanks
Siddharta

Previous message: Red Wolf: "Re: Help with Win2000 Server."
Maybe in reply to: Siddharta Govindaraj: "sniffer in promiscuous mode"
Next in thread: Damon Sisola: "RE: sniffer in promiscuous mode"
Next in thread: brien mac: "Re: sniffer in promiscuous mode"
Reply: Damon Sisola: "RE: sniffer in promiscuous mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: sniffer in promiscuous mode
... Subject: sniffer in promiscuous mode ... traffic from one port to another) so the port with the sniffer gets copies ... Is there something else I have to do to capture TCP packets? ...
(Security-Basics)
RE: Outgoing Port Check
... run nmap on the inside. ... One the sniffer, limit the sniffing to the host ... Subject: Outgoing Port Check ... Cenzic Hailstorm finds vulnerabilities fast. ...
(Pen-Test)
RE: Bizarre traffic
... port 443, not to it as I had erroneously believed my sniffer to ... The disruption is occurring because, ... machine dropped off the network. ...
(Incidents)
Re: xmlrpc problems
... When I run your server and client I ... for "sniffer.connect" returns a Sniffer object, ... @port = port ...
(comp.lang.ruby)
ftp was hacked
... a sniffer and a port scanner on my machine. ... port scans coming from my machine and wanted to know what was going on. ... A few days later I wanted to install a later version of hdparm. ...
(comp.os.linux.security)