April 19th, 2004, 04:16 PM
Sniffing under Switch network~
just wanna make sure that can sniffer run under switch network??? why some article mention can be sniff under a switch ethernet network? can i do it with those technique like ARP poisoning, or level 2 compromising? any way or method i can perform a sniff under switch? any nice sniffer tool recommend?? Ethereal? Cain and Abel? sTerm? EtherPeek? or Spynet(does it work under W2K)??
April 19th, 2004, 04:47 PM
ettercap should work fine enough.
April 19th, 2004, 09:27 PM
You can sniff on a switched network under some circumstances. Your options are:
- Use a feature on a managed switch which sends all traffic to a given port - a "monitor" port. I haven't done this, I don't know if it works. Could easily overwhelm that port.
- If you are only interested in traffic going in / out of a given port anyway (say a router or server), connect a non-switching hub in between and attach the sniffing device there.
I don't like the sound of any arp poisoning tools etc, as they could possibly cause denial of service or reduction of performance to other users on the network
April 20th, 2004, 12:01 AM
Most managed switches offer a "monitor" port, or allow you to mirror traffic to a designated port based on port/Vlan/protocol/etc. This is really the best method to monitoring a switched environment. In an ideal scenario there would be a sensor attached to each switch, or a multiport "probe" (see NAI's Sniffers for a good idea on these) with a connection to a monitoring port on each switch.
When monitoring one connection, typically a tap is used. While tap's are a little more complicated and typically require two monitoring interfaces (one for each traffic direction) there are a few good solutions out there. Snorts site has schematics for a few build it yourself taps. Arp poisoning is typically the worst way to get a sniffer on a network, and while it may work if you do it right, it will quickly cause traffic problems.
You may also get good results simply by monitoring the main switch in a network, although you will miss a lot of host to host traffic, if the majority of the traffic you are monitoring goes through one point it is often easier to watch that one point.
for reference --
Snorts site -- www.snort.org
Netoptics (maker of some killer tap's) www.netoptics.com
NAI sniffer distributed -- http://www.nai.com/us/products/sniff...istributed.htm
I use the port mirroring method on our extreme switches with great success
I use the monitoring port method on 3com switches with mediocre success
for sniffing/monitoring we use a combination of snort machines and two sniffer distributed boxes with great success
Before purchasing netoptics taps I used the passive tap schematic's off snort's site with great success
The net optics port aggregator taps are a godsend and we use them with great success
I\'ll preach my pessimism right out loud to anyone that listens!
I\'m not afraid to be alive.... I\'m afraid to be alone.
April 20th, 2004, 04:43 AM
Oh, just plug a hub in between your core switch and the interent and you'll be able to sniff all network traffic from there. There really is no voodoo to it. A basic understanding of switching technology will give you a spring board into tracing MAC addresses and bogus IP addresses.
Trust me after just a couple of engineers steal your default gateway address in error...you'll be well versed in tracking down MAC adn IP addresses locally.
Even optical media has hubs, so there is no worry there.
I would suggest against port mirroring or using the management port for traffic monitoring as that leads to crashes and bandwidth bottlenecks. Live and learn with the equipment you have.
Hope that helps.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
April 20th, 2004, 02:42 PM
Yes, you can sniff traffic in a switched network. Are you trying to do this at home? If so, then it is very easy since you would probably be using one hub and one network. I have to sniff traffic at my office from time to time and it is a little more complicated since this is an enterprise level network with multiple vlans. If you told us how your network is constructed, we may be able to give you a better idea on how to do this.