Re: Ethereal
From: Kevin Wilcox (kw34272EMAILREAPERS_at_HATECAPSappstate.edu)
Date: 12/20/04
- Next message: prg: "Re: Ethereal"
- Previous message: Tim Haynes: "Re: Novell/Suse Linux firewall questions"
- In reply to: /dev/null: "Re: Ethereal"
- Next in thread: l0n3_w012ph: "Re: Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 20 Dec 2004 18:31:41 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While drooling on their shoelaces, /dev/null spouted:
>> From the other PC's I only get the ARP packets,
>
> That's normal.
>
>> although I am working on these and surfing on the Internet too.
>
> But those packets aren't coming through or to that box.
>
> The arp packets you are seeing from the other machines are where they are
> asking "what MAC address has the IP address X.X.X.X". Those arps are
> broadcast over the local segment to all the machines. TCP/IP packets on the
> other hand aren't (unless they are broadcast packets, which 99% of all
> tcp/ip isn't broadcast). The switch you have connecting your systems
> together is smart enough to not send tcp/ip packets going from A to B down
> the CAT5 to computer C. So if you are looking on computer C for tcp/ip from
> A to B you won't see it unless you go out and buy a hub. A hub is not as
> smart as a switch, whatever comes down one CAT5 it re-broadcasts out to all
> the other CAT5 cables plugged in.
>
> The long and the short of it is each box will have to record their own
> packets and you'll have to either consolidate those recordings or review
> them separately.
A somewhat solution (to prevent buying new hardware) would be to
setup IP forwarding on the box you are wanting to monitor from and
use arpspoof (or something similar) to poison the arp caches on the
switch and the machine you want to monitor traffic from. If you
want to monitor ALL traffic from ALL machines, get a hub. If you can
get away with monitoring one machine at a time (or as many machines
as you have NICs in the monitoring box), arpspoof + NAT is a way to
go.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFBxxsrowlfGIzYCOYRArukAJ9HrwEx77t4NqHSK31CkUjAPhsHYwCdGDE0
IWEtL+vgaaVnu3A2JoA+vyI=
=b5GS
-----END PGP SIGNATURE-----
- Next message: prg: "Re: Ethereal"
- Previous message: Tim Haynes: "Re: Novell/Suse Linux firewall questions"
- In reply to: /dev/null: "Re: Ethereal"
- Next in thread: l0n3_w012ph: "Re: Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
