Re: Ethereal

From: prg (rdgentry1_at_cablelynx.com)
Date: 12/20/04 

Date: 20 Dec 2004 11:01:39 -0800

l0n3_w012ph wrote:
> Hello,
>
> I have 8 computers in my home network and I want to log the network
> activity and study the different packets with the protocols, flags
etc.
> Therefor I installed Ethereal on one of my computers with Suse Linux
Pro
> 9.0. I have installed WinPCap on my Windows machines and LibPCap on
my
> Linux machines

[snip]

As /dev/null said, a switch isolates packet traffic to specific
machines on the segment -- that's what allows full duplex mode (no
collisions).

You _can_ capture the packets on each machine then use mergecap (comes
with ethereal) to merge the files if you wish, but I doubt you'll gain
anything if you do this indiscriminately. You'll learn more relating
the packets to the traffic on each machine alone till you learn just
what is interesting, necessary, and how much to capture. It's a great
way to learn the protocol details needed for effective analysis of
captures.

For _monitoring_ traffic it's much better to use your firewall log
facilities to flag/log interesting/suspicious traffic, then use a
capture if needed to get more detailed (live?) results. Capture files
can get really large really fast without filtering and your firewall
can filter/log more efficiently. You are using a Linux box to provide
your FW, aren't you ;-)

BTW, don't leave sniffers running on internet connected machines you
are not _closely_ monitoring as there is little else an intruder would
need to completely own your net, your passwords, your internet e-biz
numbers, etc. especially with Win machines on the net. 90% of a
hackers work is getting to the point of installing a sniffer.
hth,
prg
email above disabled