Does listening to my network create extra traffic?

Discussion in 'Computer Security' started by Randell D., Oct 20, 2003.

  1. Randell D.

    Randell D. Guest

    Folks,

    This is more a question of curiosity... I've got a small network made up of
    two Windoze PCs and one linux box - A month or so ago I found that by
    checking the basic log on my router, that one of my Windoze PCs was
    connecting to a HTTP port during bootup - It took me sometime but I
    discovered it was Quicktime auto-start.

    I am now trying to take a little extra interest in security (I've been doing
    Unix admin for years but security wasn't high on my list and rarely featured
    in any of my projects). I've installed nessus and I'm curious to try out
    the likes of nmap, ethereal and tcpdump - Part of me though was wondering
    that with regards to using the likes of ethereal or tcpdump (dunno about
    nmaps exact purpose just as yet other than it being security related)...
    well... if I'm listening to my network, am I doing just that? Will these
    programs create any extra traffic on my network? Can I leave them running
    for a few hours on my linux box and then visit whatever they have picked up
    without it causing me a headache?

    If one is to ignore my network is small, what about a larger network (for
    example a clients network if I were to get a project that included
    security). The last thing I want to do is bring their network down...

    All help, via the newsgroup would be much appreciated,
    thanks
    randelld
     
    Randell D., Oct 20, 2003
    #1
    1. Advertising

  2. Randell D.

    Guest

    "Randell D." <> wrote in message news:<O5Mkb.131874$9l5.63091@pd7tw2no>...

    > well... if I'm listening to my network, am I doing just that?


    Yes.

    > Will these
    > programs create any extra traffic on my network?


    No. Programs that monitor network traffic do not add to the volume.

    > Can I leave them running
    > for a few hours on my linux box and then visit whatever they have picked up
    > without it causing me a headache?


    Yes, as long as they only listen. and do not respond. Servers like
    FTP, SMTP, etc. are built to respond to connect requests, but monitors
    like tcpdump never respond.

    > If one is to ignore my network is small, what about a larger network (for
    > example a clients network if I were to get a project that included
    > security). The last thing I want to do is bring their network down...


    Listening is listening, no matter the size of the network. I would
    test this by connecting three computers in a LAN. I would cause two
    of them to communicate at 50% of your pipe capacity simulating a
    high-volume network. Then I would start listening programs on the
    third machine. There should be no change in traffic volume.
     
    , Oct 20, 2003
    #2
    1. Advertising

  3. Randell D.

    Bit Tamer Guest

    I have used Ethereal at home to learn why my cable modem activity light
    never stops blinking. (ARP traffic, mostly.) One of the options in Ethereal
    is to resolve IP addrs it sees, which, if enabled, causes it to send name
    lookups to the name server. So it can add to network traffic...not a lot
    though. I've never let it run for an extended time, but will point out that
    it can capture an enormous amount of data in a fairly short time, so you'll
    probably have to filter out a lot of the protocols (like ARP).

    BTW, nmap is basically a port scanner. It will use various means to attempt
    to locate and connect to ports on a host (maybe an entire subnet, don't
    recall) of your choosing, and report back whatever it can determine about
    the target. As such it can be used for good (you can find possible security
    vulnerabilities) or malicious (the bad guys can find possible security
    vulns) purposes. Be careful what you scan, as some feel that even the act of
    scanning is considered an attack.

    Bit Tamer

    "Randell D." <> wrote in message
    news:O5Mkb.131874$9l5.63091@pd7tw2no...
    >
    > Folks,
    >
    > This is more a question of curiosity... I've got a small network made up

    of
    > two Windoze PCs and one linux box - A month or so ago I found that by
    > checking the basic log on my router, that one of my Windoze PCs was
    > connecting to a HTTP port during bootup - It took me sometime but I
    > discovered it was Quicktime auto-start.
    >
    > I am now trying to take a little extra interest in security (I've been

    doing
    > Unix admin for years but security wasn't high on my list and rarely

    featured
    > in any of my projects). I've installed nessus and I'm curious to try out
    > the likes of nmap, ethereal and tcpdump - Part of me though was wondering
    > that with regards to using the likes of ethereal or tcpdump (dunno about
    > nmaps exact purpose just as yet other than it being security related)...
    > well... if I'm listening to my network, am I doing just that? Will these
    > programs create any extra traffic on my network? Can I leave them running
    > for a few hours on my linux box and then visit whatever they have picked

    up
    > without it causing me a headache?
    >
    > If one is to ignore my network is small, what about a larger network (for
    > example a clients network if I were to get a project that included
    > security). The last thing I want to do is bring their network down...
    >
    > All help, via the newsgroup would be much appreciated,
    > thanks
    > randelld
    >
    >
     
    Bit Tamer, Oct 22, 2003
    #3
  4. Randell D.

    Dave Korn Guest

    <> wrote in message
    news:...
    > "Randell D." <> wrote in message

    news:<O5Mkb.131874$9l5.63091@pd7tw2no>...
    >
    > > well... if I'm listening to my network, am I doing just that?

    >
    > Yes.
    >
    > > Will these
    > > programs create any extra traffic on my network?

    >
    > No. Programs that monitor network traffic do not add to the volume.


    ..... except that a lot of them (tcpdump and ethereal included) will send DNS
    requests to convert the IP addresses they see into human-readable names for
    their output. Most software of this kind also has options to disable
    name-resolution, but at least for the two I mentioned, it's not done by
    default.

    It's generally not a great deal of traffic, but just suppose for example a
    box on your network gets hit by some slammer style-worm that goes sending
    packets to random addresses? Then for every packet the worm sent, your
    network sniffer would send a DNS lookup request, and your DNS server would
    send a reply - effectively tripling the amount of traffic the worm itself
    would have caused. Apart from this scenario, I can't imagine any other case
    where a sniffer would contribute any significant amount of traffic.

    cheers,
    DaveK
    --
    moderator of
    alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
    Burn your ID card! http://www.optional-identity.org.uk/
    Help support the campaign, copy this into your .sig!
    Proud Member of the Exclusive "I have been plonked by Davee because he
    thinks I'm interesting" List Member #<insert number here>
    Master of Many Meowing Minions
    Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
    and beyond the call of hilarity.
    PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
     
    Dave Korn, Oct 24, 2003
    #4
  5. Randell D.

    Randell D. Guest

    "Randell D." <> wrote in message
    news:O5Mkb.131874$9l5.63091@pd7tw2no...
    >
    > Folks,
    >
    > This is more a question of curiosity... I've got a small network made up

    of
    > two Windoze PCs and one linux box - A month or so ago I found that by
    > checking the basic log on my router, that one of my Windoze PCs was
    > connecting to a HTTP port during bootup - It took me sometime but I
    > discovered it was Quicktime auto-start.
    >
    > I am now trying to take a little extra interest in security (I've been

    doing
    > Unix admin for years but security wasn't high on my list and rarely

    featured
    > in any of my projects). I've installed nessus and I'm curious to try out
    > the likes of nmap, ethereal and tcpdump - Part of me though was wondering
    > that with regards to using the likes of ethereal or tcpdump (dunno about
    > nmaps exact purpose just as yet other than it being security related)...
    > well... if I'm listening to my network, am I doing just that? Will these
    > programs create any extra traffic on my network? Can I leave them running
    > for a few hours on my linux box and then visit whatever they have picked

    up
    > without it causing me a headache?
    >
    > If one is to ignore my network is small, what about a larger network (for
    > example a clients network if I were to get a project that included
    > security). The last thing I want to do is bring their network down...
    >
    > All help, via the newsgroup would be much appreciated,
    > thanks
    > randelld
    >
    >


    Many thanks to the three of you who replied...
     
    Randell D., Nov 5, 2003
    #5
  6. Randell D.

    Mailman Guest

    Randell D. wrote:

    >
    > "Randell D." <> wrote in message
    > news:O5Mkb.131874$9l5.63091@pd7tw2no...
    >>
    >> Folks,
    >>
    >> This is more a question of curiosity... I've got a small network made up

    > of
    >> two Windoze PCs and one linux box - A month or so ago I found that by
    >> checking the basic log on my router, that one of my Windoze PCs was
    >> connecting to a HTTP port during bootup - It took me sometime but I
    >> discovered it was Quicktime auto-start.
    >>
    >> I am now trying to take a little extra interest in security (I've been

    > doing
    >> Unix admin for years but security wasn't high on my list and rarely

    > featured
    >> in any of my projects). I've installed nessus and I'm curious to try out
    >> the likes of nmap, ethereal and tcpdump - Part of me though was wondering
    >> that with regards to using the likes of ethereal or tcpdump (dunno about
    >> nmaps exact purpose just as yet other than it being security related)...
    >> well... if I'm listening to my network, am I doing just that? Will these
    >> programs create any extra traffic on my network? Can I leave them
    >> running for a few hours on my linux box and then visit whatever they have
    >> picked

    > up
    >> without it causing me a headache?
    >>
    >> If one is to ignore my network is small, what about a larger network (for
    >> example a clients network if I were to get a project that included
    >> security). The last thing I want to do is bring their network down...
    >>
    >> All help, via the newsgroup would be much appreciated,
    >> thanks
    >> randelld
    >>
    >>

    >
    > Many thanks to the three of you who replied...


    Haven't seen the OM, but the answer is no: by listening to a network you do
    not create any additional traffic. Actually there is no way of knowing if
    anyone is listening in - the operation is 100% passive. In general all
    these programs put the network interface in promiscuous mode (all packets
    are seen) and just report on whatever bits happen to come in.

    As to headaches: you may run into disk space problems - a few hours of
    traffic on a heavily used network is a lot of data.


    -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
    http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
    -----== Over 100,000 Newsgroups - 19 Different Servers! =-----
     
    Mailman, Nov 5, 2003
    #6
  7. Randell D.

    Zenner Guest

    It does cause a drain on system performance. Especially, if it is running on
    the server, it must inspect each packet to determine if it matches the
    criteria you are searching for. One of reasons recommended to limit
    monitoring, logging to only what is required is not just the amount of data
    collected, it's also to minimize the drain on processor resources, cpu
    cycles. There have cases, where a number of system administrators have
    caused the system to become unresponsive and ultimately need to be
    re-booted, because each was independently attempting to isolate the cause of
    network slow downs, by running detailed logging, monitoring in different
    locations...no one was communication or coordinating the effort. Other cases
    are have been traced to non-admin. personnel doing their "homework" or
    "roll-your-won" diagnostics on a production system. Running utilities
    without consulting the operations staff.


    "Randell D." <> wrote in
    message news:O_Zpb.298648$9l5.177781@pd7tw2no...
    >
    > "Randell D." <> wrote in message
    > news:O5Mkb.131874$9l5.63091@pd7tw2no...
    > >
    > > Folks,
    > >
    > > This is more a question of curiosity... I've got a small network made up

    > of
    > > two Windoze PCs and one linux box - A month or so ago I found that by
    > > checking the basic log on my router, that one of my Windoze PCs was
    > > connecting to a HTTP port during bootup - It took me sometime but I
    > > discovered it was Quicktime auto-start.
    > >
    > > I am now trying to take a little extra interest in security (I've been

    > doing
    > > Unix admin for years but security wasn't high on my list and rarely

    > featured
    > > in any of my projects). I've installed nessus and I'm curious to try

    out
    > > the likes of nmap, ethereal and tcpdump - Part of me though was

    wondering
    > > that with regards to using the likes of ethereal or tcpdump (dunno about
    > > nmaps exact purpose just as yet other than it being security related)...
    > > well... if I'm listening to my network, am I doing just that? Will

    these
    > > programs create any extra traffic on my network? Can I leave them

    running
    > > for a few hours on my linux box and then visit whatever they have picked

    > up
    > > without it causing me a headache?
    > >
    > > If one is to ignore my network is small, what about a larger network

    (for
    > > example a clients network if I were to get a project that included
    > > security). The last thing I want to do is bring their network down...
    > >
    > > All help, via the newsgroup would be much appreciated,
    > > thanks
    > > randelld
    > >
    > >

    >
    > Many thanks to the three of you who replied...
    >
    >



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.530 / Virus Database: 325 - Release Date: 10/22/2003
     
    Zenner, Nov 8, 2003
    #7
  8. In article <T1Zqb.4595$>,
    says...
    > It does cause a drain on system performance. Especially, if it is running on
    > the server, it must inspect each packet to determine if it matches the
    > criteria you are searching for. One of reasons recommended to limit
    > monitoring, logging to only what is required is not just the amount of data
    > collected, it's also to minimize the drain on processor resources, cpu
    > cycles.


    It can also really mess up a busy switch if someone decides they need to
    port monitor all ports.

    /steve
    --
    Protect yourself on-line. Hide your identifying details in e-mail,
    usenet, and more. A privacy service like no other.
    No one gives you more control over your e-mail than we do!
    http://www.cotse.net/servicedetails.html
     
    Stephen K. Gielda, Nov 8, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HackaX0rus

    what are you listening to right now...

    HackaX0rus, Jul 4, 2005, in forum: The Lounge
    Replies:
    4
    Views:
    2,657
    Silverstrand
    Jul 4, 2005
  2. XhArD
    Replies:
    90
    Views:
    16,709
  3. Skybuck Flying
    Replies:
    0
    Views:
    4,901
    Skybuck Flying
    Jan 19, 2006
  4. Thaqalain
    Replies:
    6
    Views:
    1,194
    Thaqalain
    Jul 16, 2005
  5. kyoo
    Replies:
    22
    Views:
    2,123
    Aceman
    Apr 12, 2008
Loading...

Share This Page