Results 1 to 6 of 6

Thread: Sniffing under Switch network~

  1. #1

    Sniffing under Switch network~

    just wanna make sure that can sniffer run under switch network??? why some article mention can be sniff under a switch ethernet network? can i do it with those technique like ARP poisoning, or level 2 compromising? any way or method i can perform a sniff under switch? any nice sniffer tool recommend?? Ethereal? Cain and Abel? sTerm? EtherPeek? or Spynet(does it work under W2K)??

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    ettercap should work fine enough.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    You can sniff on a switched network under some circumstances. Your options are:

    - Use a feature on a managed switch which sends all traffic to a given port - a "monitor" port. I haven't done this, I don't know if it works. Could easily overwhelm that port.
    - If you are only interested in traffic going in / out of a given port anyway (say a router or server), connect a non-switching hub in between and attach the sniffing device there.

    I don't like the sound of any arp poisoning tools etc, as they could possibly cause denial of service or reduction of performance to other users on the network

    Slarty

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    Most managed switches offer a "monitor" port, or allow you to mirror traffic to a designated port based on port/Vlan/protocol/etc. This is really the best method to monitoring a switched environment. In an ideal scenario there would be a sensor attached to each switch, or a multiport "probe" (see NAI's Sniffers for a good idea on these) with a connection to a monitoring port on each switch.

    When monitoring one connection, typically a tap is used. While tap's are a little more complicated and typically require two monitoring interfaces (one for each traffic direction) there are a few good solutions out there. Snorts site has schematics for a few build it yourself taps. Arp poisoning is typically the worst way to get a sniffer on a network, and while it may work if you do it right, it will quickly cause traffic problems.

    You may also get good results simply by monitoring the main switch in a network, although you will miss a lot of host to host traffic, if the majority of the traffic you are monitoring goes through one point it is often easier to watch that one point.

    for reference --

    Snorts site -- www.snort.org
    Netoptics (maker of some killer tap's) www.netoptics.com
    NAI sniffer distributed -- http://www.nai.com/us/products/sniff...istributed.htm

    I use the port mirroring method on our extreme switches with great success
    I use the monitoring port method on 3com switches with mediocre success
    for sniffing/monitoring we use a combination of snort machines and two sniffer distributed boxes with great success

    Before purchasing netoptics taps I used the passive tap schematic's off snort's site with great success
    The net optics port aggregator taps are a godsend and we use them with great success
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Oh, just plug a hub in between your core switch and the interent and you'll be able to sniff all network traffic from there. There really is no voodoo to it. A basic understanding of switching technology will give you a spring board into tracing MAC addresses and bogus IP addresses.

    Trust me after just a couple of engineers steal your default gateway address in error...you'll be well versed in tracking down MAC adn IP addresses locally.

    Even optical media has hubs, so there is no worry there.

    I would suggest against port mirroring or using the management port for traffic monitoring as that leads to crashes and bandwidth bottlenecks. Live and learn with the equipment you have.

    Hope that helps.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Yes, you can sniff traffic in a switched network. Are you trying to do this at home? If so, then it is very easy since you would probably be using one hub and one network. I have to sniff traffic at my office from time to time and it is a little more complicated since this is an enterprise level network with multiple vlans. If you told us how your network is constructed, we may be able to give you a better idea on how to do this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •