-
Ethereal gateway setup
Hi, I need to analyse some traffic that occurs during windows xp machine startup and network authentication. I figured that the easiest way to do that would be to use another machine as a gateway (with 2 network cards) to sit between the machine I need to analyze and the network. I have never done anything like this though, so is there a write up about this some place? Basically, I would like no intervention from the gateway machine, so that it would be transparent(or as close to transparent as possible, so as not to change anyhting) to the machine I need to observe and the network environment.
Would I just do internet connection sharing on the middle box? Or is there a better way? and is there a way to avoid the machine that I am observing from having a NAT (translated address)?
Thanks,
RMSe17
-
Ethereal is utterly non-obtrusive... It's a passive sniffer... Put a hub in or span a switch port between the source and the ethereal machine and voila.... You have your data.
-
No offence but I cannot help and wonder why networking newbies always try to use the most complicated and difficult route when the answer is in fact dead simple..
TS is absolutely right.. Looking at your other posts about switches I recommend using a HUB.. Simplest, easiest solution that works like a charm..
K.I.S.S. (Keep It Simple, Stupid) ;)
-
Do you mean sticking a hub in between the machine I need to analyze and the rest of the network, and then connect the ethereal box to it as well, sorta like making a T ? And that will give me everything so I don't need to put the ethereal box as a gateway?
-
You're _really_ new to this aren't you..... :)
You are absolutely correct....
But I have a word of warning..... In more than one case I have come across "Hubs" that have "Hub" written on them and the box but when you actually fire that sucker up it is actually a switch so you can't see anything except the broadcasts. If you aren't aware that can occur then you can waste an awful lot of time troubleshooting your install of WinPCap and Ethereal when you really don't need to..... :eek:
-
I happen to enjoy making things needlessly complicated... It keeps my housemates from being able to use my systems.
But yeah... Use a hub.
RMSe17:
Code:
Ethereal Machine ----------|
|
|-------Hub-----Network-------Internet
|
Machine to be observed---|
Just pick up a cheapass 15-20 dollar hub. Go to Wal-Mart or something.
-
Great post everyone. Yeah I would use a packet sniffer with a hub to see what is being transmitted across the network and so true about the hub thing. there are several different products out there that do a great job at packet sniffing so google it and try some out. What are you looking for? There may be a better tool out there to find what you are look to see.
-
OK, so after trying 4 "hubs" and not getting anything but DHCP requests and IGMP V2 membership Reports.. the 5th hub sees stuff.
Thanks to everyone,
RMSe17
-
So... What did we learn?
1. Manufacturers of hubs and switches don't know the difference between the two.
2. Not all hubs that have hub written on them or the box are hubs.
3. Ask your local store employee if "this hub is really a hub" and he won't know what you are talking about.
4. Never trust hardware when you are using well tested and reviewed software.....
;)
-
Hahah yeah, finding an actual plain HUB these days ain't always easy!
A while ago I was on a small carribean island doing an managed IDS install for a client of ours and had to scramble to find two hubs (after it turned out that switches we were told would do port mirroring did not). We (collegue and I) had to do all the little computer shops on the island; conversation usually went like this:
us- Hi, we need two 4/8 ports hubs.
shop- Here I have these...
us- These are swithes, not hubs!
shop- Well they're like hubs but better!
us- But we need HUBS!
shop- Why? Hubs are dumb!
us- WE KNOW!! That's what we want!!!
shop- Sorry don't have any.
Heh...
We finally found a place that had to *old* 8 port beige metal boxes hubs, which they sold for 50 box each!! Hahah lol... (we weren't the ones paying). These things must have been 10 years old!
Oh, BTW, you shouldn't run ethereal live as a privileged user: two many security issues in the protocol dissectors.
Capture with tcpdump/windump (tcpdump -nettts 1500 -i ethX -w somefile.pcap) as root, then analyse the pcap file by runnning ethereal as an unpriviledge user. Ethereal might still screw you but at least it won't compromise your whole box...
Ammo