Sniffing on switched networks.

Hi,

If I'm on a switched network (PC's running windows) can I use tools
like ethereal to sniff traffic from other PC's on the same network?

I think my issue is listed here:
http://www.ethereal.com/faq.html#q5.1

If I cannot sniff this type of network, is there some specific
hardware I could get to replace the current switch?

Thanks for any pointers.

zeebop.

zeebop

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

zeebop wrote:

> Hi,
>
> If I'm on a switched network (PC's running windows) can I use tools
> like ethereal to sniff traffic from other PC's on the same network?
>
> I think my issue is listed here:
> http://www.ethereal.com/faq.html#q5.1
>
> If I cannot sniff this type of network, is there some specific
> hardware I could get to replace the current switch?
>
> Thanks for any pointers.
>
> zeebop.

There are two programs I can think of off the top of my head that might help
you.Â*Â*OneÂ*isÂ*calledÂ*CainÂ*(http://www.oxid.it/cain.html).Â*Â*ItÂ*willÂ*allowÂ*you
to sniff packets from hosts on the same subnet as you.Â*Â*TheÂ*otherÂ*package
is called ettercap.Â*Â*BothÂ*piecesÂ*ofÂ*softwareÂ*basicallyÂ*makeÂ*youÂ*theÂ*"manÂ*in
the middle".Â*Â*CainÂ*isÂ*aÂ*bitÂ*moreÂ*advancedÂ*asÂ*itÂ*allowsÂ*youÂ*toÂ*spoofÂ*yourÂ*IP
and MAC as well as giving you the ability to crack passwords and the like.
Cain is also easier to use.

The other option is to span the port that your NIC is connected to across
all other ports on your network.Â*Â*ThisÂ*isÂ*onlyÂ*possibleÂ*withÂ*higherÂ*end
switches and may cause other problems (ie. very slow response time for your
computer).

- --
"Now the Lord God planted a garden East of Whittier in a place called
Yorba Linda, and out of the ground he made to grow orange trees that
were good for food and the fruits thereof he labeled SUNKIST ..."
-- "The Begatting of a President"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBAts5qS1ElrnoqAoRAr4kAKCDDQOOot40y70MR2NQJT bhx+6XOACeMVp5
poJ5QV55HejO5X1FjJYMrhE=
=jsW/
-----END PGP SIGNATURE-----

James Candalino

Try this link for info:

http://www.linuxjournal.com/article.php?sid=6985

Jbob

On Sat, 24 Jul 2004 17:42:31 -0500, "Jbob" <> wrote:

>Try this link for info:
>
>http://www.linuxjournal.com/article.php?sid=6985
>


Thanks very much for both of your answers. they are very helpful.
I had given ettercap a whirl, but wasn't getting much luck from it.

Cain certainly seems to be closer to what I am after - but I'm not
really concerned about passwords, more tracking chat networks like
MSN, and I couldnt see how cain would do this. I understand its based
on ARP though.

I'm thinking of taking the easy route and getting a hub installed
instead.
Can anyone recommend a hub that does broadcast packets, as I've heard
some dont?
Does this one seem ok?
http://tinyurl.com/5d6vp

Thanks for your help.

zeebop

On Sun, 25 Jul 2004 02:15:09 +0100, zeebop <> wrote:

>I'm thinking of taking the easy route and getting a hub installed
>instead.
>Can anyone recommend a hub that does broadcast packets, as I've heard
>some dont?

Then you heared wrong. Any hub does broadcast packets

--
Kind regards,
Gerard Bok

Gerard Bok

On Sun, 25 Jul 2004 10:38:22 GMT, (Gerard Bok) wrote:

>On Sun, 25 Jul 2004 02:15:09 +0100, zeebop <> wrote:
>
>>I'm thinking of taking the easy route and getting a hub installed
>>instead.
>>Can anyone recommend a hub that does broadcast packets, as I've heard
>>some dont?
>
>Then you heared wrong. Any hub does broadcast packets

I think the problem is that some 'hubs' are mislabelled - and are
effectivly switches.

There is a little reference to it here.
http://www.ethereal.com/faq.html#q5.1

I just dont want to go and buy something that doesnt broadcast.

Thanks

zeebop

zeebop

On Sun, 25 Jul 2004 11:46:56 +0100, zeebop <> wrote:

>On Sun, 25 Jul 2004 10:38:22 GMT, (Gerard Bok) wrote:
>
>>On Sun, 25 Jul 2004 02:15:09 +0100, zeebop <> wrote:
>>
>>>I'm thinking of taking the easy route and getting a hub installed
>>>instead.
>>>Can anyone recommend a hub that does broadcast packets, as I've heard
>>>some dont?
>>
>>Then you heared wrong. Any hub does broadcast packets
>
>I think the problem is that some 'hubs' are mislabelled - and are
>effectivly switches.

That's true.
If a device is labeled '10 Mbit hub' you can be pretty sure that
it is indeed a hub.
If a device is labeled '100 Mbit hub' you must be carefull, as
there devices are rather rare.
If a device is labeled '10 and 100 Mbit hub' you're being cheated


(Please enlight me on english ? What's the correct spelling,
labeled or labelled ? I normally do a google when in doubt. But
in this case I get 2 million hits on double L and 4 million on
single L

--
Kind regards,
Gerard Bok

Gerard Bok

On Sun, 25 Jul 2004 12:37:14 +0000, Gerard Bok schrieb :

> (Please enlight me on english ? What's the correct spelling,
> labeled or labelled ? I normally do a google when in doubt. But
> in this case I get 2 million hits on double L and 4 million on
> single L

Either will suffice I'm sure. Websters Unabridged Dictionary lists both
spellings of the word.

Getting back to hubs, I thought the whole point of them was to just spit
everything out (broadcast, sorry) to everything connected to them.

Cordially,

Kleeb.

Kleeb

In article <>, on Sun, 25 Jul 2004 12:37:14 GMT,
(Gerard Bok) wrote:

| On Sun, 25 Jul 2004 11:46:56 +0100, zeebop <> wrote:

<snip />

| (Please enlight me on english ? What's the correct spelling,
| labeled or labelled ? I normally do a google when in doubt. But
| in this case I get 2 million hits on double L and 4 million on
| single L

They are both right. Alternatives spellings ...

<http://smac.ucsd.edu/cgi-bin/http_webster?isindex=labeled>
<http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=labeled>

etc

<davidp />

--
David Postill

David Postill

"zeebop" <> wrote in message
news:...
> Hi,
>
> If I'm on a switched network (PC's running windows) can I use tools
> like ethereal to sniff traffic from other PC's on the same network?
>
> I think my issue is listed here:
> http://www.ethereal.com/faq.html#q5.1
>
> If I cannot sniff this type of network, is there some specific
> hardware I could get to replace the current switch?

OK. A switch works by dynamically "switching" ports between each other; this
means that - by design - one port doesn't see another's traffic.

A hub is basically a broadcast device, with each port talking to all other
ports, and listening to all traffic.

Because it's useful for sniffing, high-end switches (e.g. from Cisco) have a
"spanning" facility that effectively configures certain switched ports into
a mini hub.

The easiest way to duplicate this for not-a-lot of money is to buy a cheap
hub and plug it into the port you want to scan, and plug the sniffer and
target connection into the hub.

One thing worth remembering - on dual-speed hubs (e.g. Netgear), there are
separate backbones ("broadcast thingies") for the 10Mb and 100Mb - when I
sniff Internet traffic on my home connection, I have to drop the sniffer to
10Mbps, half-duplex.

Leaving it to auto-negotiate 100Mb/full just gives me ARP from the Cable
Modem, rather than traffic to/from my trusty hardware router.

HTH

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hairy One Kenobi