On Tue, Jul 31, 2012 at 08:05:41AM +0100, Wayne Stallwood wrote:
Unfortunately on a "dumb" switch (as opposed to a managed switch) it isn't that simple to see all traffic or traffic to/from a specific port other than the one your sniffer is plugged into.
Yes, I suppose I could dig out a *really dumb* hub as opposed to a switch and plug the relevant boxes into that - see below though.
On a managed switch you put the port your sniffer is plugged into into monitor mode (or span mode in Cisco money) which makes that port promiscuous, then you can see *all traffic.
As it is with a dumb switch, if you run wireshark on your desktop you will only see traffic to and from that machine + any broadcast packets.
Fortunately running wireshark on my desktop machine showed me what the problem was, the packets I was looking for were (supposed to be) broadcast packets but the destination address was getting set to pretty much random numbers rather than the correct 255.255.255.255. Since the switch didn't know where to send the packets with random looking addresses they arrived at my desktop machine (as well as everywhere else presumably) and I could see them.
It was an uninitialised variable in a loop causing the problem.
If you have a machine with 2 ethernet interfaces you can build an ethernet tap either by making it a bridge and sticking it between whatever is in port 8 and the port itself or by doing another trick with some spare rj45 modules see
http://www.enigmacurry.com/category/diy/ for a reasonable guide on how to do this.
That could be very useful, I have a 'spare' machine which has two ethernet interfaces so could set it up as a tap quite easily.
Finally you can use tricks such as ARP poisoning or MAC flooding but both of these are really only suitable for espionage rather than diagnostics as you change the behaviour of the network by utilising them.
- Well not quite all traffic
Thanks for all the ideas.