«

Folks,

This is more a question of curiosity... I've got a small network made up of
two Windoze PCs and one linux box - A month or so ago I found that by
checking the basic log on my router, that one of my Windoze PCs was
connecting to a HTTP port during bootup - It took me sometime but I
discovered it was Quicktime auto-start.

I am now trying to take a little extra interest in security (I've been doing
Unix admin for years but security wasn't high on my list and rarely featured
in any of my projects). I've installed nessus and I'm curious to try out
the likes of nmap, ethereal and tcpdump - Part of me though was wondering
that with regards to using the likes of ethereal or tcpdump (dunno about
nmaps exact purpose just as yet other than it being security related)...
well... if I'm listening to my network, am I doing just that? Will these
programs create any extra traffic on my network? Can I leave them running
for a few hours on my linux box and then visit whatever they have picked up
without it causing me a headache?

If one is to ignore my network is small, what about a larger network (for
example a clients network if I were to get a project that included
security). The last thing I want to do is bring their network down...

All help, via the newsgroup would be much appreciated,
thanks
randelld

"Randell D." <> wrote in message news:<O5Mkb.131874$9l5.63091@pd7tw2no>...

> well... if I'm listening to my network, am I doing just that?

Yes.

> Will these
> programs create any extra traffic on my network?

No. Programs that monitor network traffic do not add to the volume.

> Can I leave them running
> for a few hours on my linux box and then visit whatever they have picked up
> without it causing me a headache?

Yes, as long as they only listen. and do not respond. Servers like
FTP, SMTP, etc. are built to respond to connect requests, but monitors
like tcpdump never respond.

> If one is to ignore my network is small, what about a larger network (for
> example a clients network if I were to get a project that included
> security). The last thing I want to do is bring their network down...

Listening is listening, no matter the size of the network. I would
test this by connecting three computers in a LAN. I would cause two
of them to communicate at 50% of your pipe capacity simulating a
high-volume network. Then I would start listening programs on the
third machine. There should be no change in traffic volume.

I have used Ethereal at home to learn why my cable modem activity light
never stops blinking. (ARP traffic, mostly.) One of the options in Ethereal
is to resolve IP addrs it sees, which, if enabled, causes it to send name
lookups to the name server. So it can add to network traffic...not a lot
though. I've never let it run for an extended time, but will point out that
it can capture an enormous amount of data in a fairly short time, so you'll
probably have to filter out a lot of the protocols (like ARP).

BTW, nmap is basically a port scanner. It will use various means to attempt
to locate and connect to ports on a host (maybe an entire subnet, don't
recall) of your choosing, and report back whatever it can determine about
the target. As such it can be used for good (you can find possible security
vulnerabilities) or malicious (the bad guys can find possible security
vulns) purposes. Be careful what you scan, as some feel that even the act of
scanning is considered an attack.

Bit Tamer

"Randell D." <> wrote in message
news:O5Mkb.131874$9l5.63091@pd7tw2no...
>
> Folks,
>
> This is more a question of curiosity... I've got a small network made up
of
> two Windoze PCs and one linux box - A month or so ago I found that by
> checking the basic log on my router, that one of my Windoze PCs was
> connecting to a HTTP port during bootup - It took me sometime but I
> discovered it was Quicktime auto-start.
>
> I am now trying to take a little extra interest in security (I've been
doing
> Unix admin for years but security wasn't high on my list and rarely
featured
> in any of my projects). I've installed nessus and I'm curious to try out
> the likes of nmap, ethereal and tcpdump - Part of me though was wondering
> that with regards to using the likes of ethereal or tcpdump (dunno about
> nmaps exact purpose just as yet other than it being security related)...
> well... if I'm listening to my network, am I doing just that? Will these
> programs create any extra traffic on my network? Can I leave them running
> for a few hours on my linux box and then visit whatever they have picked
up
> without it causing me a headache?
>
> If one is to ignore my network is small, what about a larger network (for
> example a clients network if I were to get a project that included
> security). The last thing I want to do is bring their network down...
>
> All help, via the newsgroup would be much appreciated,
> thanks
> randelld
>
>

<> wrote in message
news: om...
> "Randell D." <> wrote in message
news:<O5Mkb.131874$9l5.63091@pd7tw2no>...
>
> > well... if I'm listening to my network, am I doing just that?
>
> Yes.
>
> > Will these
> > programs create any extra traffic on my network?
>
> No. Programs that monitor network traffic do not add to the volume.

..... except that a lot of them (tcpdump and ethereal included) will send DNS
requests to convert the IP addresses they see into human-readable names for
their output. Most software of this kind also has options to disable
name-resolution, but at least for the two I mentioned, it's not done by
default.

It's generally not a great deal of traffic, but just suppose for example a
box on your network gets hit by some slammer style-worm that goes sending
packets to random addresses? Then for every packet the worm sent, your
network sniffer would send a DNS lookup request, and your DNS server would
send a reply - effectively tripling the amount of traffic the worm itself
would have caused. Apart from this scenario, I can't imagine any other case
where a sniffer would contribute any significant amount of traffic.

cheers,
DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.mis c.moderated.meow
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD

"Randell D." <> wrote in message
news:O5Mkb.131874$9l5.63091@pd7tw2no...
>
> Folks,
>
> This is more a question of curiosity... I've got a small network made up
of
> two Windoze PCs and one linux box - A month or so ago I found that by
> checking the basic log on my router, that one of my Windoze PCs was
> connecting to a HTTP port during bootup - It took me sometime but I
> discovered it was Quicktime auto-start.
>
> I am now trying to take a little extra interest in security (I've been
doing
> Unix admin for years but security wasn't high on my list and rarely
featured
> in any of my projects). I've installed nessus and I'm curious to try out
> the likes of nmap, ethereal and tcpdump - Part of me though was wondering
> that with regards to using the likes of ethereal or tcpdump (dunno about
> nmaps exact purpose just as yet other than it being security related)...
> well... if I'm listening to my network, am I doing just that? Will these
> programs create any extra traffic on my network? Can I leave them running
> for a few hours on my linux box and then visit whatever they have picked
up
> without it causing me a headache?
>
> If one is to ignore my network is small, what about a larger network (for
> example a clients network if I were to get a project that included
> security). The last thing I want to do is bring their network down...
>
> All help, via the newsgroup would be much appreciated,
> thanks
> randelld
>
>

Many thanks to the three of you who replied...

Randell D. wrote:

>
> "Randell D." <> wrote in message
> news:O5Mkb.131874$9l5.63091@pd7tw2no...
>>
>> Folks,
>>
>> This is more a question of curiosity... I've got a small network made up
> of
>> two Windoze PCs and one linux box - A month or so ago I found that by
>> checking the basic log on my router, that one of my Windoze PCs was
>> connecting to a HTTP port during bootup - It took me sometime but I
>> discovered it was Quicktime auto-start.
>>
>> I am now trying to take a little extra interest in security (I've been
> doing
>> Unix admin for years but security wasn't high on my list and rarely
> featured
>> in any of my projects). I've installed nessus and I'm curious to try out
>> the likes of nmap, ethereal and tcpdump - Part of me though was wondering
>> that with regards to using the likes of ethereal or tcpdump (dunno about
>> nmaps exact purpose just as yet other than it being security related)...
>> well... if I'm listening to my network, am I doing just that? Will these
>> programs create any extra traffic on my network? Can I leave them
>> running for a few hours on my linux box and then visit whatever they have
>> picked
> up
>> without it causing me a headache?
>>
>> If one is to ignore my network is small, what about a larger network (for
>> example a clients network if I were to get a project that included
>> security). The last thing I want to do is bring their network down...
>>
>> All help, via the newsgroup would be much appreciated,
>> thanks
>> randelld
>>
>>
>
> Many thanks to the three of you who replied...

Haven't seen the OM, but the answer is no: by listening to a network you do
not create any additional traffic. Actually there is no way of knowing if
anyone is listening in - the operation is 100% passive. In general all
these programs put the network interface in promiscuous mode (all packets
are seen) and just report on whatever bits happen to come in.

As to headaches: you may run into disk space problems - a few hours of
traffic on a heavily used network is a lot of data.


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

It does cause a drain on system performance. Especially, if it is running on
the server, it must inspect each packet to determine if it matches the
criteria you are searching for. One of reasons recommended to limit
monitoring, logging to only what is required is not just the amount of data
collected, it's also to minimize the drain on processor resources, cpu
cycles. There have cases, where a number of system administrators have
caused the system to become unresponsive and ultimately need to be
re-booted, because each was independently attempting to isolate the cause of
network slow downs, by running detailed logging, monitoring in different
locations...no one was communication or coordinating the effort. Other cases
are have been traced to non-admin. personnel doing their "homework" or
"roll-your-won" diagnostics on a production system. Running utilities
without consulting the operations staff.


"Randell D." < > wrote in
message news:O_Zpb.298648$9l5.177781@pd7tw2no...
>
> "Randell D." <> wrote in message
> news:O5Mkb.131874$9l5.63091@pd7tw2no...
> >
> > Folks,
> >
> > This is more a question of curiosity... I've got a small network made up
> of
> > two Windoze PCs and one linux box - A month or so ago I found that by
> > checking the basic log on my router, that one of my Windoze PCs was
> > connecting to a HTTP port during bootup - It took me sometime but I
> > discovered it was Quicktime auto-start.
> >
> > I am now trying to take a little extra interest in security (I've been
> doing
> > Unix admin for years but security wasn't high on my list and rarely
> featured
> > in any of my projects). I've installed nessus and I'm curious to try
out
> > the likes of nmap, ethereal and tcpdump - Part of me though was
wondering
> > that with regards to using the likes of ethereal or tcpdump (dunno about
> > nmaps exact purpose just as yet other than it being security related)...
> > well... if I'm listening to my network, am I doing just that? Will
these
> > programs create any extra traffic on my network? Can I leave them
running
> > for a few hours on my linux box and then visit whatever they have picked
> up
> > without it causing me a headache?
> >
> > If one is to ignore my network is small, what about a larger network
(for
> > example a clients network if I were to get a project that included
> > security). The last thing I want to do is bring their network down...
> >
> > All help, via the newsgroup would be much appreciated,
> > thanks
> > randelld
> >
> >
>
> Many thanks to the three of you who replied...
>
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.530 / Virus Database: 325 - Release Date: 10/22/2003

In article <T1Zqb.4595$>,
says...
> It does cause a drain on system performance. Especially, if it is running on
> the server, it must inspect each packet to determine if it matches the
> criteria you are searching for. One of reasons recommended to limit
> monitoring, logging to only what is required is not just the amount of data
> collected, it's also to minimize the drain on processor resources, cpu
> cycles.

It can also really mess up a busy switch if someone decides they need to
port monitor all ports.

/steve
--
Protect yourself on-line. Hide your identifying details in e-mail,
usenet, and more. A privacy service like no other.
No one gives you more control over your e-mail than we do!
http://www.cotse.net/servicedetails.html