Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Windows Traffic Sniffer

Reply
Thread Tools

Windows Traffic Sniffer

 
 
jms504
Guest
Posts: n/a
 
      08-18-2005
I'm looking for a good windows traffic sniffer for a switched network.
As you already know, ethereal only does hubbed traffic sniffing.
I need it for network packet analysis.

I installed the ettercap interface for windows but to be frank, it
sucks!

 
Reply With Quote
 
 
 
 
xsr
Guest
Posts: n/a
 
      08-18-2005
jms504 Wrote:
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!

No way you can "just" sniff a switched network, as the packets are not
passing your computer. To be able to sniff on a switched network, you
need something to perform arp poisoning as well, which ettercap, hunt &
juggernauth can ( to name a few ).

Ethereal for windows is also fine to use, but there needs to be a
seperate program running which performs arp poisining ( like ARP0c/WCI
from www.phenoelit.de )

There are also more windows/user friendly tools for this, like cain &
able ( www.oxid.it ). Before doing anything i suggest to read up on arp
poisoning, just to see what it is you are doing ( aside from sniffing ),
since even cain & able is not doing it automagicly for you...

BTW, properly configured switches/routers can also prevent arp
poisoning and trigger some alerts.

----
xsr
08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
http://www.research-labs.net/

 
Reply With Quote
 
 
 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      08-18-2005
"jms504" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!


Most sniffers are based on (Win)PCAP, in my experience - Ethereal is a
rather nifty front end (as long as you don't push it too far. *Never* run it
on a production box, just on a client machine. It occasionally goes "la la")
Ettercap is something that I've heard good things about, but...

A lot depends upon your infrastructure, but most modern Cisco switches can
be easily configured to provided sniffer info; even easier is to simply
introduce a hub at the direct internet connection (for small sites - SPF!);
I use this technique myself, and filter PCAP for the times (most of 'em)
when I'm not interested in (e.g.) ARP.

HTH

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!


 
Reply With Quote
 
jms504
Guest
Posts: n/a
 
      08-19-2005
I'm aware of what ethereal/ettercap/ etc do.
I'm not some script kiddie.

I was just wondering if there is a better tool for Win other than
ettercap.
I've evaluated a few, but theyre not the least bit sufficient and I'm a
GUI guy.

It can trigger ALL the alerts it wants..i'm not a Black Hat. I'm just
doing a netmon assignment evaluating traffic passing into servers while
actively sniffing.

 
Reply With Quote
 
jms504
Guest
Posts: n/a
 
      08-19-2005
Right.
Ultimately what I am doing is trying to find a way to be able to sniff
traffic on the same subnet to a group of servers without having to go
to each server and set up a sniffer to log incoming packets. We have a
pretty good size network. Setting up a sniffer on each would be too
resource consuming.

>From my education(NSA-NSTISS-NIETP based) we worked with sniffers, but

the better ones were in a linux environment and we are strictly
windows.
Ettercap and the interfaces for linux provided me with some nice tools
however, the windows versions are buggy, and don't cut it.
Installing linux or running live linux isnt an option.
I'm trying to find an active sniffer that will be safe to run..as a
passive sniffer won't cut it..and bringing down the network would be a
bad thing..a VERY bad thing. I

Log analysis would not suffice..we need real time capture and analysis
at certain times.

This is quite the bitch.

 
Reply With Quote
 
Gerard Bok
Guest
Posts: n/a
 
      08-19-2005
On 18 Aug 2005 20:37:21 -0700, "jms504" <(E-Mail Removed)> wrote:

>I'm aware of what ethereal/ettercap/ etc do.
>I'm not some script kiddie.
>
>I was just wondering if there is a better tool for Win other than
>ettercap.
>I've evaluated a few, but theyre not the least bit sufficient and I'm a
>GUI guy.
>
>It can trigger ALL the alerts it wants..i'm not a Black Hat. I'm just
>doing a netmon assignment evaluating traffic passing into servers while
>actively sniffing.


In that case: do the math

100 Mbs network ?
nn hosts ?
Switch ? so: duplex.
Find yourself a 2 * nn * 100 Mbps capable solution and you can
watch tings from your chair.

Or: do what we all do
(And that probably does not involve 'Windows'

--
Kind regards,
Gerard Bok
 
Reply With Quote
 
xsr
Guest
Posts: n/a
 
      08-19-2005
Indeed a bitch getting assigned something but not allowed to use the
most suitable os for it...

Just realized, without arp poisoning, there is also another option of
remote sniffing. Analyzer and winpcap. I've never tried it myself but
those polito.it guys outline that with winpcap it is possible to
install some sort of sniffer daemon (rpcapd.exe), manageable with the
tool daemon_mgm.exe from winpcap.

They're analyzer ( http://analyzer.polito.it ) should be able to use
this daemon.

----
xsr
08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
http://www.research-labs.net/

 
Reply With Quote
 
xsr
Guest
Posts: n/a
 
      08-19-2005
jms504 Wrote:
> Right.
> Ultimately what I am doing is trying to find a way to be able to sniff
> traffic on the same subnet to a group of servers without having to go
> to each server and set up a sniffer to log incoming packets. We have a
> pretty good size network. Setting up a sniffer on each would be too
> resource consuming.

OK, so ignore my post about remote sniffing, heh. I've read this after
getting enthousiast about the remote sniffer daemon.

jms504 Wrote:
> ..and bringing down the network would be a
> bad thing..a VERY bad thing

When poisoning excisting connections usually get dropped, even if it
might take a second or less for the programs to reconnect. Unless these
programs require user intervention for re-establishing.

Considering this next to the mentioned hardware or (non-gui or gui)
tools, i don't know of a way to make it work on windows.
You could try arp-sk ( http://www.arp-sk.org/ ) but it is non-gui.
Cain & able combined with analyzer seems like the closed match to your
requirements, in my opinion. It seems like a bitch to add all the hosts
seperatelly into cain's APR, though.

Anyway, good luck with it.

----
xsr
08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
http://www.research-labs.net/

 
Reply With Quote
 
Kevin Reiter
Guest
Posts: n/a
 
      08-19-2005
jms504 wrote:
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!


Snort with MySQL and BASE. No GUI, but the results are in a web page (BASE)

If you can install a second NIC on the box, you can stealth it and pick up
more traffic on a switched LAN. It can also detect arp spoofing, blah
blah blah.

Snort: http://www.snort.org
MySQL: http://www.mysql.com
BASE: http://secureideas.sourceforge.net/
Snort on Win32: http://www.winsnort.com
 
Reply With Quote
 
Juergen Nieveler
Guest
Posts: n/a
 
      08-19-2005
xsr <(E-Mail Removed)> wrote:

> No way you can "just" sniff a switched network, as the packets are
> not passing your computer. To be able to sniff on a switched network,
> you need something to perform arp poisoning as well, which ettercap,
> hunt & juggernauth can ( to name a few ).


Or you log on to the switch and mirror the port you want to sniff

Juergen Nieveler
--
A computer without Microsoft is like a chocolate cake without mustard.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
freeware sniffer for windows? Calvin.Lai@shaw.ca Cisco 3 09-14-2006 01:27 PM
FTP outward traffic causing "Unidentified IP traffic" error on ISA 2004 server connected to a PIX quentinhudson@hotmail.com Cisco 0 05-31-2006 11:43 AM
How does typical ISP traffic shaping/bandwidth limiting work ? Do ISP's allow bursty traffic per second ? Skybuck Flying Cisco 0 01-19-2006 08:50 PM
traffic-shaping limit ftp traffic Hypno999 Cisco 5 10-08-2005 07:25 AM
Managment/traffic sniffer? Oystein Cisco 1 11-04-2003 07:04 AM



Advertisments