[Geek] Packet interception?

[inferis]

Networking is one of the many areas of computing that I'm really not that knowledgeable about, however, recently I've found myself with a need to use network analysis software/packet sniffers like Wireshark to determine what a particular piece of software was actually doing. A problem arises though because using Wireshark involves (afaik) both

Comments

[pir]

I'm going to assume a unix box, don't know if wireshark has been ported to M$ offhand.

You can sniff using tcpdump (which is likely installed unless you have a very stripped down install) sending it's raw output to a file, copy the file off to another machine and then feed it to wireshark (and you can run wireshark as a non-priv user). This is what I commonly do when I need raw traffic info from a random machine.

The only gotcha is tcpdump by default won't dump the entire packet content, you need to give it options like;
tcpdump -i eth0 -n -s 0 -w /tmp/eth0.dumpIf you're only interested in the traffic being generated by the machine you're running tcpdump on then you can avoid putting it in promiscuous mode with the -p option, too

[inferis]

Tragically this has to be done on a Windows network. There is a win version of Wireshark though, thankfully.

Would it be possible to buy a small switch and use that with a laptop (say, an eepc?) as a portable interception device?

[pir]

I'd think it'd be easier to find the windows equivalent of tcpdump ;)

You could put a small switch in the middle... but unless you can turn on port mirroring (which generally means not a small switched since managed switches are expensive) you're back to the same switched environment fun and you won't see the traffic unless you arp flood the switch (which is a pain).

You can put a hub inbetween but good luck trying to buy a hub these days.

For fiber passive taps exist, for ethernet it can't be passive in quite the same way. The snort folks have a page about constructing an ethernet tap, however. Not tried it personally but could be useful.

[inferis]

I think I actually have a mini 4 port hub upstairs somewhere...could I just plug that in the middle, plug in my eee, set my card to promiscuous mode (?) and listen in that way?

The passive tap looks fairly simple to make, but I may as well try to use what I have lying around :)

[gaius_octavian]

So long as you're on the same subnet, use promiscuous mode. I don't know Wireshark but you can do this with Ethereal.

Having a protocol analyzer on your laptop was a disciplinary offense at once company I worked for. In fact I had about half of their list of banned software, and needed most of it to do my job!

[pir]

So long as you're on the same subnet, use promiscuous mode

Unless you want to arp storm your switch that doesn't help if you're on a switched network.

Wireshark is the newest version of what was Ethereal.

[gaius_octavian]

Interesting. Been a while since I've done any of that! :-)

[dan_lane]

Without buying extra kit, you'll need to use ARP poisoning to route all the traffic on that LAN through your own box.

Ettercap will handle this for you.

If you have a fancy managed switch you may be able to dump a copy of all traffic out onto a single port that's connected to your wireshark box. This is a much more elegant way to do things... I wouldn't recommend using the ARP trick on a production or shared network ;)

[inferis]

Interesting. That's given me some terms to look up, ta :)