Results 1 to 10 of 10

Thread: Sniffing mutiple networks

  1. #1

    Sniffing mutiple networks

    OkI have two questions, is it possible to sniff mutiple subnets. Im familiar with sniffing a regular network and a swtiched networks and i tried both on a network i created. I have access to cisco routers and switces at a cisco lab at school. Does it have anything to do with poisoning the routing tables? And how can you stop it?

    Thanks for your help.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    This all kinda depends on the architecture but it isn't easy in any case.

    If all the subnets had a common point then it would be possible depending upon the equipment in use. It's obviously easier if you can have physical access too. In most circumstances the archtecture would prevent you. For example:-

    subnet --- router --- subnet --- router --- subnet

    Would be impossible to sniff from any single subnet.

    If it were a star topology you would be able to sniff subnet to subnet traffic if you got onto the hub. But even then intrasubnet traffic on the associated subnets would be invisible. In the long run you are better off getting a sniffer onto each subnet of interest anyway. The purpose would usually be to pick up on authentication traffic, (as an attacker), and so much of that _should_ go on on the individual subnets that it wouldn't get you very far very quickly.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    You can sniff from different subnets. If you have proper access to the network here's the legit way.

    You can use SPAN or RSPAN to send traffic from different ports on a switch or switches to a monitor port. The monitor port will be where your sniffer is located. This way you will get data from each VLAN (port) that you specify.

    SPAN
    Span allows you to set source ports on a switch and tell them to send all (or TX/RX) to a monitor port. This way you can sniff as many subnets as you'd like. This feature isn't availible on all Cisco switches.

    RSPAN
    Same thing as SPAN except instead of send it to a monitor port which a sniffer is on it sends it to a seperate VLAN. This means you can sniff traffic from many ports on many switches. Once again this is only supported on some switches, mostly higher end ones.

    Be careful of your bandwidth, the switched traffic from an RPSAN session can be a lot.

    Cisco has more info, just do a search.

    And you can use tools like ettercap to sniff switched traffic. I have had tiem to fool with this much.

    One way to "prevent" this kind of sniffing is an IDS. Most IDSs monitor for arp requests and will alert you of any activity related to switched network sniffing.

    At least I think this is the way it all works. If someone sees something that I'm misunderstanding, correct me. I'm here to learn.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Trench:

    You are correct if the network is subnetted by switches... But I would consider that a single network, (with multiple subnets separated logically). That's why I said it depends on the architecture. I see several networks separated by routers as just that, separate networks and even though the separation is "logical" in nature it's a much greater form of separation than switches.

    But then, in your example you are discussing sniffing from an admins POV. I was thinking more from an attackers POV since the OP asked how to prevent it.

    Also, some firewalls note MAC address changes of clients on the network. Mine dumps a "Network Address of xxxxx has changed to xx:xx:xx:xx:xx:xx" to the logs every time my exchange server load balances the twinned cards.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    I see what you're saying. I guess we looked at that question from two different points of view.

    I guess I was coming from the angle that you only see traffic sent directly to your machine when you're on a switch port. To clarify my statement for the OP... For instance, if I have a workstation on port 12 of a switch by default I'm only going to see traffic sent that port (workstation on that port). So if I attempted to sniff the network I would only get my own traffic. That's where the whole SPAN thing came in. So yes, like you said it's all one network, I was thinking about it that way too. The problem is how do I see all the traffic at once to sniff it.

    Later

  6. #6
    Thanks trench and Tiger shark but i was still researching and i found this link

    http://packetstormsecurity.nl/groups/horizon/ripar.txt

    I just read it and im having trouble grasping the extent to which these tools can be used. What i mean is what senarios. Does using RIPv2 since it provides authentication helps to stop it and im going to go check how easy to capture and crack that authentication right now.

  7. #7
    Junior Member
    Join Date
    Jul 2004
    Posts
    15
    Hmm, I would agree that it is architecture based. because the network I admin, it is switched and routed, and I have no problem sniffing it all with ettercap and snort. it has 3 different subnets (45 computers) and I can capture them all...

    Shugart ...
    You call that a firewall !

  8. #8
    Hey Shugart can you explain a bit more about the architecture of your network and where you have the box that is running ecap and the one that is running snort. I would really appreciatte it

    Thanks

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    He may be taliking about sniffing the internet bound traffic. I can do that on my network but I need to place additional sniffers out there if I want all intrasubnet traffic from some of my subnets.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Junior Member
    Join Date
    Jul 2004
    Posts
    15
    Well, both ettercap and snort are on the same machines. And no its not just interent traffic. I can watch it all. I have ettercap and snort on a admin laptop, I just plug in and go into promiscuous mode. ok stucture: I have my server, a router- 15 machines then a cat-5 to a switch to 3 routers then more cat-5 to a router with 2 machines, then to a router with 5 computers, then a router with 20+ coputers in a LAB. ( its a school) And I havnt doen much to configure ecap and snort, just set up and ran...

    Anything more?
    Shugart
    You call that a firewall !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •