Comments | inferis: [Geek] Packet interception?

inferis

[Geek] Packet interception?

Dec 18, 2008 18:57

Networking is one of the many areas of computing that I'm really not that knowledgeable about, however, recently I've found myself with a need to use network analysis software/packet sniffers like Wireshark to determine what a particular piece of software was actually doing. A problem arises though because using Wireshark involves (afaik) both ( Read more... )

Leave a comment

Back to all threads

pir December 18 2008, 19:35:58 UTC

I'm going to assume a unix box, don't know if wireshark has been ported to M$ offhand.

You can sniff using tcpdump (which is likely installed unless you have a very stripped down install) sending it's raw output to a file, copy the file off to another machine and then feed it to wireshark (and you can run wireshark as a non-priv user). This is what I commonly do when I need raw traffic info from a random machine.

The only gotcha is tcpdump by default won't dump the entire packet content, you need to give it options like;
tcpdump -i eth0 -n -s 0 -w /tmp/eth0.dumpIf you're only interested in the traffic being generated by the machine you're running tcpdump on then you can avoid putting it in promiscuous mode with the -p option, too ( ... )

inferis December 18 2008, 20:33:50 UTC

Tragically this has to be done on a Windows network. There is a win version of Wireshark though, thankfully.

Would it be possible to buy a small switch and use that with a laptop (say, an eepc?) as a portable interception device?

pir December 18 2008, 20:48:55 UTC

I'd think it'd be easier to find the windows equivalent of tcpdump ;)

You could put a small switch in the middle... but unless you can turn on port mirroring (which generally means not a small switched since managed switches are expensive) you're back to the same switched environment fun and you won't see the traffic unless you arp flood the switch (which is a pain).

You can put a hub inbetween but good luck trying to buy a hub these days.

For fiber passive taps exist, for ethernet it can't be passive in quite the same way. The snort folks have a page about constructing an ethernet tap, however. Not tried it personally but could be useful.

inferis December 18 2008, 23:05:41 UTC

I think I actually have a mini 4 port hub upstairs somewhere...could I just plug that in the middle, plug in my eee, set my card to promiscuous mode (?) and listen in that way?

The passive tap looks fairly simple to make, but I may as well try to use what I have lying around :)

pir December 18 2008, 23:08:24 UTC

If it's actually a hub and not a switch then yes, you can do that. Many things labeled as hubs are actually switches, has to be pretty old to be a hub (and maximum 100baseT, those were even rarer, 10bT hubs were common).

inferis December 18 2008, 23:16:32 UTC

Netgear EN104TP

I've had it for ages...never thought I'd actually use it.

pir December 18 2008, 23:21:42 UTC

Yep, that looks sufficiently old :)

stevenothing December 19 2008, 00:42:46 UTC

I had to buy an ancient hub from Ebay in order to do exactly this. Ugly, but it worked.

pir December 19 2008, 00:47:12 UTC

I've got a cisco 2950-24 in the cupboard which will do monitoring of up to gig ether ports (it only has two gige ports, alas, but if you are monitoring 100Mbit ports then you can feed several into one gige port).

Back to all threads