Windows Traffic Sniffer

Discussion in 'Computer Security' started by jms504, Aug 18, 2005.

  1. jms504

    jms504 Guest

    I'm looking for a good windows traffic sniffer for a switched network.
    As you already know, ethereal only does hubbed traffic sniffing.
    I need it for network packet analysis.

    I installed the ettercap interface for windows but to be frank, it
    sucks!
     
    jms504, Aug 18, 2005
    #1
    1. Advertising

  2. jms504

    xsr Guest

    jms504 Wrote:
    > I'm looking for a good windows traffic sniffer for a switched network.
    > As you already know, ethereal only does hubbed traffic sniffing.
    > I need it for network packet analysis.
    >
    > I installed the ettercap interface for windows but to be frank, it
    > sucks!

    No way you can "just" sniff a switched network, as the packets are not
    passing your computer. To be able to sniff on a switched network, you
    need something to perform arp poisoning as well, which ettercap, hunt &
    juggernauth can ( to name a few ).

    Ethereal for windows is also fine to use, but there needs to be a
    seperate program running which performs arp poisining ( like ARP0c/WCI
    from www.phenoelit.de )

    There are also more windows/user friendly tools for this, like cain &
    able ( www.oxid.it ). Before doing anything i suggest to read up on arp
    poisoning, just to see what it is you are doing ( aside from sniffing ),
    since even cain & able is not doing it automagicly for you...

    BTW, properly configured switches/routers can also prevent arp
    poisoning and trigger some alerts.

    ----
    xsr
    08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
    http://www.research-labs.net/
     
    xsr, Aug 18, 2005
    #2
    1. Advertising

  3. "jms504" <> wrote in message
    news:...
    > I'm looking for a good windows traffic sniffer for a switched network.
    > As you already know, ethereal only does hubbed traffic sniffing.
    > I need it for network packet analysis.
    >
    > I installed the ettercap interface for windows but to be frank, it
    > sucks!


    Most sniffers are based on (Win)PCAP, in my experience - Ethereal is a
    rather nifty front end (as long as you don't push it too far. *Never* run it
    on a production box, just on a client machine. It occasionally goes "la la")
    Ettercap is something that I've heard good things about, but...

    A lot depends upon your infrastructure, but most modern Cisco switches can
    be easily configured to provided sniffer info; even easier is to simply
    introduce a hub at the direct internet connection (for small sites - SPF!);
    I use this technique myself, and filter PCAP for the times (most of 'em)
    when I'm not interested in (e.g.) ARP.

    HTH

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Aug 19, 2005
    #3
  4. jms504

    jms504 Guest

    I'm aware of what ethereal/ettercap/ etc do.
    I'm not some script kiddie.

    I was just wondering if there is a better tool for Win other than
    ettercap.
    I've evaluated a few, but theyre not the least bit sufficient and I'm a
    GUI guy.

    It can trigger ALL the alerts it wants..i'm not a Black Hat. I'm just
    doing a netmon assignment evaluating traffic passing into servers while
    actively sniffing.
     
    jms504, Aug 19, 2005
    #4
  5. jms504

    jms504 Guest

    Right.
    Ultimately what I am doing is trying to find a way to be able to sniff
    traffic on the same subnet to a group of servers without having to go
    to each server and set up a sniffer to log incoming packets. We have a
    pretty good size network. Setting up a sniffer on each would be too
    resource consuming.

    >From my education(NSA-NSTISS-NIETP based) we worked with sniffers, but

    the better ones were in a linux environment and we are strictly
    windows.
    Ettercap and the interfaces for linux provided me with some nice tools
    however, the windows versions are buggy, and don't cut it.
    Installing linux or running live linux isnt an option.
    I'm trying to find an active sniffer that will be safe to run..as a
    passive sniffer won't cut it..and bringing down the network would be a
    bad thing..a VERY bad thing. I

    Log analysis would not suffice..we need real time capture and analysis
    at certain times.

    This is quite the bitch.
     
    jms504, Aug 19, 2005
    #5
  6. jms504

    Gerard Bok Guest

    On 18 Aug 2005 20:37:21 -0700, "jms504" <> wrote:

    >I'm aware of what ethereal/ettercap/ etc do.
    >I'm not some script kiddie.
    >
    >I was just wondering if there is a better tool for Win other than
    >ettercap.
    >I've evaluated a few, but theyre not the least bit sufficient and I'm a
    >GUI guy.
    >
    >It can trigger ALL the alerts it wants..i'm not a Black Hat. I'm just
    >doing a netmon assignment evaluating traffic passing into servers while
    >actively sniffing.


    In that case: do the math :)

    100 Mbs network ?
    nn hosts ?
    Switch ? so: duplex.
    Find yourself a 2 * nn * 100 Mbps capable solution and you can
    watch tings from your chair.

    Or: do what we all do :)
    (And that probably does not involve 'Windows' :)

    --
    Kind regards,
    Gerard Bok
     
    Gerard Bok, Aug 19, 2005
    #6
  7. jms504

    xsr Guest

    Indeed a bitch getting assigned something but not allowed to use the
    most suitable os for it...

    Just realized, without arp poisoning, there is also another option of
    remote sniffing. Analyzer and winpcap. I've never tried it myself but
    those polito.it guys outline that with winpcap it is possible to
    install some sort of sniffer daemon (rpcapd.exe), manageable with the
    tool daemon_mgm.exe from winpcap.

    They're analyzer ( http://analyzer.polito.it ) should be able to use
    this daemon.

    ----
    xsr
    08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
    http://www.research-labs.net/
     
    xsr, Aug 19, 2005
    #7
  8. jms504

    xsr Guest

    jms504 Wrote:
    > Right.
    > Ultimately what I am doing is trying to find a way to be able to sniff
    > traffic on the same subnet to a group of servers without having to go
    > to each server and set up a sniffer to log incoming packets. We have a
    > pretty good size network. Setting up a sniffer on each would be too
    > resource consuming.

    OK, so ignore my post about remote sniffing, heh. I've read this after
    getting enthousiast about the remote sniffer daemon.

    jms504 Wrote:
    > ..and bringing down the network would be a
    > bad thing..a VERY bad thing

    When poisoning excisting connections usually get dropped, even if it
    might take a second or less for the programs to reconnect. Unless these
    programs require user intervention for re-establishing.

    Considering this next to the mentioned hardware or (non-gui or gui)
    tools, i don't know of a way to make it work on windows.
    You could try arp-sk ( http://www.arp-sk.org/ ) but it is non-gui.
    Cain & able combined with analyzer seems like the closed match to your
    requirements, in my opinion. It seems like a bitch to add all the hosts
    seperatelly into cain's APR, though.

    Anyway, good luck with it.

    ----
    xsr
    08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
    http://www.research-labs.net/
     
    xsr, Aug 19, 2005
    #8
  9. jms504

    Kevin Reiter Guest

    jms504 wrote:
    > I'm looking for a good windows traffic sniffer for a switched network.
    > As you already know, ethereal only does hubbed traffic sniffing.
    > I need it for network packet analysis.
    >
    > I installed the ettercap interface for windows but to be frank, it
    > sucks!


    Snort with MySQL and BASE. No GUI, but the results are in a web page (BASE)

    If you can install a second NIC on the box, you can stealth it and pick up
    more traffic on a switched LAN. It can also detect arp spoofing, blah
    blah blah.

    Snort: http://www.snort.org
    MySQL: http://www.mysql.com
    BASE: http://secureideas.sourceforge.net/
    Snort on Win32: http://www.winsnort.com
     
    Kevin Reiter, Aug 19, 2005
    #9
  10. xsr <> wrote:

    > No way you can "just" sniff a switched network, as the packets are
    > not passing your computer. To be able to sniff on a switched network,
    > you need something to perform arp poisoning as well, which ettercap,
    > hunt & juggernauth can ( to name a few ).


    Or you log on to the switch and mirror the port you want to sniff ;-)

    Juergen Nieveler
    --
    A computer without Microsoft is like a chocolate cake without mustard.
     
    Juergen Nieveler, Aug 19, 2005
    #10
  11. jms504

    Wayne Guest

    "jms504" <> wrote in message
    news:...
    > I'm looking for a good windows traffic sniffer for a switched network.
    > As you already know, ethereal only does hubbed traffic sniffing.
    > I need it for network packet analysis.
    >
    > I installed the ettercap interface for windows but to be frank, it
    > sucks!
    >


    If you are using Cisco switches ask your network engineer or admin or
    whoever to setup a SPAN port for you. I'm sure other vendors have a similar
    feature in the even taht you are not using Cisco switches.
     
    Wayne, Aug 21, 2005
    #11
  12. jms504

    David Guest

    Ettercap is really desinged for windows, although cain & able might do
    the trick.

    Another option is to use cygwin to emulate *nix and put ettercap in
    cygwin. You still may need winpcap, and though I've tried ettercap on
    actual linux, and cygwin, I've never tried ettercap "in" cygwin before.

    Good luck,
    David

    jms504 wrote:
    > I'm looking for a good windows traffic sniffer for a switched network.
    > As you already know, ethereal only does hubbed traffic sniffing.
    > I need it for network packet analysis.
    >
    > I installed the ettercap interface for windows but to be frank, it
    > sucks!
    >
     
    David, Aug 22, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alain Viguier

    HTTP Sniffer extension

    Alain Viguier, Sep 17, 2003, in forum: Firefox
    Replies:
    0
    Views:
    11,238
    Alain Viguier
    Sep 17, 2003
  2. Sam Soh

    Sniffer on 3550

    Sam Soh, Jun 23, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,436
    Erik Tamminga
    Jun 23, 2003
  3. spikestik

    Network Sniffer on a Cisco 4000

    spikestik, Jul 14, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,605
    M.C. van den Bovenkamp
    Jul 14, 2003
  4. Oystein

    Managment/traffic sniffer?

    Oystein, Nov 4, 2003, in forum: Cisco
    Replies:
    1
    Views:
    412
    Andrey Tarasov
    Nov 4, 2003
  5. Replies:
    3
    Views:
    2,362
Loading...

Share This Page