Sniffing on switched networks.

Discussion in 'Computer Security' started by zeebop, Jul 24, 2004.

  1. zeebop

    zeebop Guest

    Hi,

    If I'm on a switched network (PC's running windows) can I use tools
    like ethereal to sniff traffic from other PC's on the same network?

    I think my issue is listed here:
    http://www.ethereal.com/faq.html#q5.1

    If I cannot sniff this type of network, is there some specific
    hardware I could get to replace the current switch?

    Thanks for any pointers.

    zeebop.
     
    zeebop, Jul 24, 2004
    #1
    1. Advertising

  2. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    zeebop wrote:

    > Hi,
    >
    > If I'm on a switched network (PC's running windows) can I use tools
    > like ethereal to sniff traffic from other PC's on the same network?
    >
    > I think my issue is listed here:
    > http://www.ethereal.com/faq.html#q5.1
    >
    > If I cannot sniff this type of network, is there some specific
    > hardware I could get to replace the current switch?
    >
    > Thanks for any pointers.
    >
    > zeebop.


    There are two programs I can think of off the top of my head that might help
    you.  One is called Cain (http://www.oxid.it/cain.html).  It will allow you
    to sniff packets from hosts on the same subnet as you.  The other package
    is called ettercap.  Both pieces of software basically make you the "man in
    the middle".  Cain is a bit more advanced as it allows you to spoof your IP
    and MAC as well as giving you the ability to crack passwords and the like.
    Cain is also easier to use.

    The other option is to span the port that your NIC is connected to across
    all other ports on your network.  This is only possible with higher end
    switches and may cause other problems (ie. very slow response time for your
    computer).

    - --
    "Now the Lord God planted a garden East of Whittier in a place called
    Yorba Linda, and out of the ground he made to grow orange trees that
    were good for food and the fruits thereof he labeled SUNKIST ..."
    -- "The Begatting of a President"

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFBAts5qS1ElrnoqAoRAr4kAKCDDQOOot40y70MR2NQJTbhx+6XOACeMVp5
    poJ5QV55HejO5X1FjJYMrhE=
    =jsW/
    -----END PGP SIGNATURE-----
     
    James Candalino, Jul 24, 2004
    #2
    1. Advertising

  3. zeebop

    Jbob Guest

    Jbob, Jul 24, 2004
    #3
  4. zeebop

    zeebop Guest

    On Sat, 24 Jul 2004 17:42:31 -0500, "Jbob" <> wrote:

    >Try this link for info:
    >
    >http://www.linuxjournal.com/article.php?sid=6985
    >



    Thanks very much for both of your answers. they are very helpful.
    I had given ettercap a whirl, but wasn't getting much luck from it.

    Cain certainly seems to be closer to what I am after - but I'm not
    really concerned about passwords, more tracking chat networks like
    MSN, and I couldnt see how cain would do this. I understand its based
    on ARP though.

    I'm thinking of taking the easy route and getting a hub installed
    instead.
    Can anyone recommend a hub that does broadcast packets, as I've heard
    some dont?
    Does this one seem ok?
    http://tinyurl.com/5d6vp

    Thanks for your help.
     
    zeebop, Jul 25, 2004
    #4
  5. zeebop

    Gerard Bok Guest

    On Sun, 25 Jul 2004 02:15:09 +0100, zeebop <> wrote:

    >I'm thinking of taking the easy route and getting a hub installed
    >instead.
    >Can anyone recommend a hub that does broadcast packets, as I've heard
    >some dont?


    Then you heared wrong. Any hub does broadcast packets :)

    --
    Kind regards,
    Gerard Bok
     
    Gerard Bok, Jul 25, 2004
    #5
  6. zeebop

    zeebop Guest

    On Sun, 25 Jul 2004 10:38:22 GMT, (Gerard Bok) wrote:

    >On Sun, 25 Jul 2004 02:15:09 +0100, zeebop <> wrote:
    >
    >>I'm thinking of taking the easy route and getting a hub installed
    >>instead.
    >>Can anyone recommend a hub that does broadcast packets, as I've heard
    >>some dont?

    >
    >Then you heared wrong. Any hub does broadcast packets :)


    I think the problem is that some 'hubs' are mislabelled - and are
    effectivly switches.

    There is a little reference to it here.
    http://www.ethereal.com/faq.html#q5.1

    I just dont want to go and buy something that doesnt broadcast.

    Thanks

    zeebop
     
    zeebop, Jul 25, 2004
    #6
  7. zeebop

    Gerard Bok Guest

    On Sun, 25 Jul 2004 11:46:56 +0100, zeebop <> wrote:

    >On Sun, 25 Jul 2004 10:38:22 GMT, (Gerard Bok) wrote:
    >
    >>On Sun, 25 Jul 2004 02:15:09 +0100, zeebop <> wrote:
    >>
    >>>I'm thinking of taking the easy route and getting a hub installed
    >>>instead.
    >>>Can anyone recommend a hub that does broadcast packets, as I've heard
    >>>some dont?

    >>
    >>Then you heared wrong. Any hub does broadcast packets :)

    >
    >I think the problem is that some 'hubs' are mislabelled - and are
    >effectivly switches.


    That's true.
    If a device is labeled '10 Mbit hub' you can be pretty sure that
    it is indeed a hub.
    If a device is labeled '100 Mbit hub' you must be carefull, as
    there devices are rather rare.
    If a device is labeled '10 and 100 Mbit hub' you're being cheated
    :)

    (Please enlight me on english ? What's the correct spelling,
    labeled or labelled ? I normally do a google when in doubt. But
    in this case I get 2 million hits on double L and 4 million on
    single L :)

    --
    Kind regards,
    Gerard Bok
     
    Gerard Bok, Jul 25, 2004
    #7
  8. zeebop

    Kleeb Guest

    On Sun, 25 Jul 2004 12:37:14 +0000, Gerard Bok schrieb :

    > (Please enlight me on english ? What's the correct spelling,
    > labeled or labelled ? I normally do a google when in doubt. But
    > in this case I get 2 million hits on double L and 4 million on
    > single L :)


    Either will suffice I'm sure. Websters Unabridged Dictionary lists both
    spellings of the word.

    Getting back to hubs, I thought the whole point of them was to just spit
    everything out (broadcast, sorry) to everything connected to them.

    Cordially,

    Kleeb.
     
    Kleeb, Jul 25, 2004
    #8
  9. In article <>, on Sun, 25 Jul 2004 12:37:14 GMT,
    (Gerard Bok) wrote:

    | On Sun, 25 Jul 2004 11:46:56 +0100, zeebop <> wrote:

    <snip />

    | (Please enlight me on english ? What's the correct spelling,
    | labeled or labelled ? I normally do a google when in doubt. But
    | in this case I get 2 million hits on double L and 4 million on
    | single L :)

    They are both right. Alternatives spellings ... :)

    <http://smac.ucsd.edu/cgi-bin/http_webster?isindex=labeled>
    <http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=labeled>

    etc

    <davidp />

    --
    David Postill
     
    David Postill, Jul 25, 2004
    #9
  10. "zeebop" <> wrote in message
    news:...
    > Hi,
    >
    > If I'm on a switched network (PC's running windows) can I use tools
    > like ethereal to sniff traffic from other PC's on the same network?
    >
    > I think my issue is listed here:
    > http://www.ethereal.com/faq.html#q5.1
    >
    > If I cannot sniff this type of network, is there some specific
    > hardware I could get to replace the current switch?


    OK. A switch works by dynamically "switching" ports between each other; this
    means that - by design - one port doesn't see another's traffic.

    A hub is basically a broadcast device, with each port talking to all other
    ports, and listening to all traffic.

    Because it's useful for sniffing, high-end switches (e.g. from Cisco) have a
    "spanning" facility that effectively configures certain switched ports into
    a mini hub.

    The easiest way to duplicate this for not-a-lot of money is to buy a cheap
    hub and plug it into the port you want to scan, and plug the sniffer and
    target connection into the hub.

    One thing worth remembering - on dual-speed hubs (e.g. Netgear), there are
    separate backbones ("broadcast thingies") for the 10Mb and 100Mb - when I
    sniff Internet traffic on my home connection, I have to drop the sniffer to
    10Mbps, half-duplex.

    Leaving it to auto-negotiate 100Mb/full just gives me ARP from the Cable
    Modem, rather than traffic to/from my trusty hardware router.

    HTH

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Jul 26, 2004
    #10
  11. zeebop

    zeebop Guest

    On Mon, 26 Jul 2004 12:23:10 GMT, "Hairy One Kenobi"
    <abuse@[127.0.0.1]> wrote:

    >"zeebop" <> wrote in message
    >news:...
    >> Hi,
    >>
    >> If I'm on a switched network (PC's running windows) can I use tools
    >> like ethereal to sniff traffic from other PC's on the same network?
    >>
    >> I think my issue is listed here:
    >> http://www.ethereal.com/faq.html#q5.1
    >>
    >> If I cannot sniff this type of network, is there some specific
    >> hardware I could get to replace the current switch?

    >
    >OK. A switch works by dynamically "switching" ports between each other; this
    >means that - by design - one port doesn't see another's traffic.
    >
    >A hub is basically a broadcast device, with each port talking to all other
    >ports, and listening to all traffic.
    >
    >Because it's useful for sniffing, high-end switches (e.g. from Cisco) have a
    >"spanning" facility that effectively configures certain switched ports into
    >a mini hub.
    >
    >The easiest way to duplicate this for not-a-lot of money is to buy a cheap
    >hub and plug it into the port you want to scan, and plug the sniffer and
    >target connection into the hub.
    >
    >One thing worth remembering - on dual-speed hubs (e.g. Netgear), there are
    >separate backbones ("broadcast thingies") for the 10Mb and 100Mb - when I
    >sniff Internet traffic on my home connection, I have to drop the sniffer to
    >10Mbps, half-duplex.
    >
    >Leaving it to auto-negotiate 100Mb/full just gives me ARP from the Cable
    >Modem, rather than traffic to/from my trusty hardware router.
    >
    >HTH
    >
    >Hairy One Kenobi
    >
    >Disclaimer: the opinions expressed in this opinion do not necessarily
    >reflect the opinions of the highly-opinionated person expressing the opinion
    >in the first place. So there!
    >


    Thanks for the detail.
    I was planning on only sniffing local lan traffic (and incoming
    traffic from the Internet) , so I have bought a Netgear DS104 hub. As
    all the connections attached to it are capable of 100Mb I am assuming
    that the 'dual speed' capability of the hub wont cause a problem and I
    will see all traffic.

    I was assuming that I would only have problems seeing the traffic if
    it was going/coming from a 10Mb and I was on a 100Mb connection.

    Thanks

    zeebop
     
    zeebop, Jul 26, 2004
    #11
  12. "zeebop" <> wrote in message
    news:...
    > On Mon, 26 Jul 2004 12:23:10 GMT, "Hairy One Kenobi"
    > <abuse@[127.0.0.1]> wrote:


    <snip>

    > >The easiest way to duplicate this for not-a-lot of money is to buy a

    cheap
    > >hub and plug it into the port you want to scan, and plug the sniffer and
    > >target connection into the hub.
    > >
    > >One thing worth remembering - on dual-speed hubs (e.g. Netgear), there

    are
    > >separate backbones ("broadcast thingies") for the 10Mb and 100Mb - when I
    > >sniff Internet traffic on my home connection, I have to drop the sniffer

    to
    > >10Mbps, half-duplex.
    > >
    > >Leaving it to auto-negotiate 100Mb/full just gives me ARP from the Cable
    > >Modem, rather than traffic to/from my trusty hardware router.


    > Thanks for the detail.
    > I was planning on only sniffing local lan traffic (and incoming
    > traffic from the Internet) , so I have bought a Netgear DS104 hub. As
    > all the connections attached to it are capable of 100Mb I am assuming
    > that the 'dual speed' capability of the hub wont cause a problem and I
    > will see all traffic.
    >
    > I was assuming that I would only have problems seeing the traffic if
    > it was going/coming from a 10Mb and I was on a 100Mb connection.


    I'm using a DS108.

    With my router connection only supporting 10/half, I need to explicitly set
    the sniffer NIC to 10/half. On [automatic] 100/full, I don't see any traffic
    to/from the router..

    It's good practise not to auto-negotiate if you are sniffing.. as well as in
    certain circumstances where there are frequent problems (e.g. Cisco switches
    and Compaq 3com NICs)

    H1K
     
    Hairy One Kenobi, Jul 27, 2004
    #12
  13. zeebop

    Botha Guest

    If you wanna sniff on a switched network just install Cin n Able and then
    let it do the arp poisoning for you.

    Then use etheral or whatever sniffer you want to sniff yourself (or your
    cain/able box)
    What I did at work was install cain on a win2k box, poisioned the hosts and
    the gateway (router) then used Iris to sniff myself, it picked up all the
    data flowing through me (the middle man) via cain and able.
    Was quite fun to see what managment was surfing late at night.

    Cheers

    Sheldon

    "Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
    news:btoNc.44$...
    > "zeebop" <> wrote in message
    > news:...
    > > On Mon, 26 Jul 2004 12:23:10 GMT, "Hairy One Kenobi"
    > > <abuse@[127.0.0.1]> wrote:

    >
    > <snip>
    >
    > > >The easiest way to duplicate this for not-a-lot of money is to buy a

    > cheap
    > > >hub and plug it into the port you want to scan, and plug the sniffer

    and
    > > >target connection into the hub.
    > > >
    > > >One thing worth remembering - on dual-speed hubs (e.g. Netgear), there

    > are
    > > >separate backbones ("broadcast thingies") for the 10Mb and 100Mb - when

    I
    > > >sniff Internet traffic on my home connection, I have to drop the

    sniffer
    > to
    > > >10Mbps, half-duplex.
    > > >
    > > >Leaving it to auto-negotiate 100Mb/full just gives me ARP from the

    Cable
    > > >Modem, rather than traffic to/from my trusty hardware router.

    >
    > > Thanks for the detail.
    > > I was planning on only sniffing local lan traffic (and incoming
    > > traffic from the Internet) , so I have bought a Netgear DS104 hub. As
    > > all the connections attached to it are capable of 100Mb I am assuming
    > > that the 'dual speed' capability of the hub wont cause a problem and I
    > > will see all traffic.
    > >
    > > I was assuming that I would only have problems seeing the traffic if
    > > it was going/coming from a 10Mb and I was on a 100Mb connection.

    >
    > I'm using a DS108.
    >
    > With my router connection only supporting 10/half, I need to explicitly

    set
    > the sniffer NIC to 10/half. On [automatic] 100/full, I don't see any

    traffic
    > to/from the router..
    >
    > It's good practise not to auto-negotiate if you are sniffing.. as well as

    in
    > certain circumstances where there are frequent problems (e.g. Cisco

    switches
    > and Compaq 3com NICs)
    >
    > H1K
    >
    >
     
    Botha, Jul 30, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?a21hbjIxNA==?=

    Wireless/Wired Sniffing Security

    =?Utf-8?B?a21hbjIxNA==?=, Aug 12, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    619
  2. Chris
    Replies:
    8
    Views:
    714
    shope
    Apr 15, 2004
  3. AM
    Replies:
    1
    Views:
    1,727
  4. Johnny Noitargim
    Replies:
    9
    Views:
    6,035
    nover
    Nov 15, 2010
  5. Lawrence D'Oliveiro

    Circuit-Switched vs Packet-Switched

    Lawrence D'Oliveiro, Jan 16, 2009, in forum: NZ Computing
    Replies:
    7
    Views:
    685
    Lawrence D'Oliveiro
    Jan 19, 2009
Loading...

Share This Page