Re: Sniffing on switched networks.
From: Botha (mwdbotha_at_mweb.co.za)
Date: 07/31/04
- Previous message: Peter: "Re: PQ Drive Image - an inconsistency"
- In reply to: Hairy One Kenobi: "Re: Sniffing on switched networks."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 31 Jul 2004 00:16:58 +0200
If you wanna sniff on a switched network just install Cin n Able and then
let it do the arp poisoning for you.
Then use etheral or whatever sniffer you want to sniff yourself (or your
cain/able box)
What I did at work was install cain on a win2k box, poisioned the hosts and
the gateway (router) then used Iris to sniff myself, it picked up all the
data flowing through me (the middle man) via cain and able.
Was quite fun to see what managment was surfing late at night.
Cheers
Sheldon
"Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
news:btoNc.44$oa1.16@newsfe5-gui.ntli.net...
> "zeebop" <yeah@um.right> wrote in message
> news:e6nag05l1cfo7qmbv0dhogr9g3dqjnfuud@4ax.com...
> > On Mon, 26 Jul 2004 12:23:10 GMT, "Hairy One Kenobi"
> > <abuse@[127.0.0.1]> wrote:
>
> <snip>
>
> > >The easiest way to duplicate this for not-a-lot of money is to buy a
> cheap
> > >hub and plug it into the port you want to scan, and plug the sniffer
and
> > >target connection into the hub.
> > >
> > >One thing worth remembering - on dual-speed hubs (e.g. Netgear), there
> are
> > >separate backbones ("broadcast thingies") for the 10Mb and 100Mb - when
I
> > >sniff Internet traffic on my home connection, I have to drop the
sniffer
> to
> > >10Mbps, half-duplex.
> > >
> > >Leaving it to auto-negotiate 100Mb/full just gives me ARP from the
Cable
> > >Modem, rather than traffic to/from my trusty hardware router.
>
> > Thanks for the detail.
> > I was planning on only sniffing local lan traffic (and incoming
> > traffic from the Internet) , so I have bought a Netgear DS104 hub. As
> > all the connections attached to it are capable of 100Mb I am assuming
> > that the 'dual speed' capability of the hub wont cause a problem and I
> > will see all traffic.
> >
> > I was assuming that I would only have problems seeing the traffic if
> > it was going/coming from a 10Mb and I was on a 100Mb connection.
>
> I'm using a DS108.
>
> With my router connection only supporting 10/half, I need to explicitly
set
> the sniffer NIC to 10/half. On [automatic] 100/full, I don't see any
traffic
> to/from the router..
>
> It's good practise not to auto-negotiate if you are sniffing.. as well as
in
> certain circumstances where there are frequent problems (e.g. Cisco
switches
> and Compaq 3com NICs)
>
> H1K
>
>
- Previous message: Peter: "Re: PQ Drive Image - an inconsistency"
- In reply to: Hairy One Kenobi: "Re: Sniffing on switched networks."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
