Split a 100MB ethernet connection for sniffing - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Split a 100MB ethernet connection for sniffing

  1. #11
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I'm not sure what you mean by you could only get one side of the date (assuming data)... If you had the wires melded you would have your send and receive isolated.... and I dont' see a reason why you wouldn't get full duplex.. (you only get half duplex when you're connected to a hub, or a dumb device where you can't always send/recieve at the same time..

    I'll see if I can't draw a picture of what I mean..

    Peace
    HT

    [Edit]
    Attached Image:

    The goal is to make sure that both ends are in the connector and not a splice in the cable... i'm going to create one tomorrow to test it, but I'm pretty sure it should work.

    [/Edit]
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #12
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Hi Irongeek,

    The primary purpose of ss2chef's idea is to make a recieve-only tap, so the computer connected to the sniffer would not be able to send traffic, or for that matter any kind of electrical signal the wrong way down the wire. The sniffer box is completely invisible on the network. If the sniffer box has access to the transmit pins on these wires, any signal it sends, whether this IP traffic, hardware negotiation or any kind of electrical signal, would interfere with the signal already on the wire and destroy it. I have tried a setup much like what HTRegz suggested before and encountered this problem.

    I have built the snort taps before. I have three of them which I use to sniff traffic. They have the added benefit of making the recieveing computer(s) invisible, since it is not connected to any transmit pins. But yes, the recieved traffic is only half duplex. Each NIC will recieve traffic travelling only in one direction. Merging these two streams, however, is not at all difficult. Iptables is capable of rebuilding these streams with the bonding driver, which is more normally used to increase network bandwidth.

    If you have "bonding driver support" enabled as a module in the linux kernel, a bonded interface, which will recieve traffic from eth1 and eth2, can be set up as follows:

    Code:
    ifconfig bond0 up
    fconfig eth1 promisc up
    ifconfig eth2 promisc up
    ifenslave bond0 eth1
    ifenslave bond0 eth2
    I have had some success with this. Any application listening on bond0 will now recieve traffic entering the box both on eth1 and eth2. This is my usual solution when sniffing traffic in this manner. I can see full duplex traffix on bond0, but I am still unable to transmit anything to the network, making it impossible to overwrite the signal with stray electrons.

    This should work for you.

    <EDIT>
    hrm... I don't have ifenslave here, so I guess you might not either. I'll attach the source to save you the trouble of looking for it. It's just a single C source file.
    </EDIT>
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #13
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    Correct me if im wrong but cant you just put 2 network cards in your computer and setup network sharing so that it does something like this:

    Comp 1 Sniffer WAN
    nic---------------------------nic1--nic2------------whatever

    then the computer would see all traffic going through it... unless you are looking for it not to hit your computer for whatever reason
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  4. #14
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Yes, I too am not sure what you are trying to do.

    A Hub will be half-duplex, cause collisions, but it is cheep and can be deployed easily. The biggest problem is how it will affect network performance. But it will see BOTH sides of the transmission.

    A Tap, as Striek said, will only see one side of the transmission, either coming in OR going out. Combining both can be done in several ways if you want to monitor both sides, say to know requests as well as responses. If you are using a commercial Tap ( which you say you can not afford ) there should be two ports which need to be combined. If you use home made taps you may need two, then combine them. ( not fun ) If you use really expensive Taps, some can, as I understand it, combine them in the hardware, but then again, you can't afford the cheep ones so .....

    Again, I don't know what you are trying to capture. I would think it would be better to capture both sides of the transmission then sort through what you need. To do this I would still suggest the hub. Even though a hub may cause collisions, those packets that are not received should be resent . ( it is my understanding that using a hub to connect two Taps is a very bad idea because it can introduce collisions that the monitor doesn't see, and neither do the sender or receiver because for them no collisions occurred. So the monitor can miss packets and never know it because they were never re-sent ) whew.

    Again, with the hub, how much performance derogation will there be on your application? You would need to determine your available bandwidth and your bandwidth usage.

    The only other alternative I can see is what Spyrus recommended.
    Put together a spare computer with duel NICs, and set it up as a Bridge. Monitor ( capture ) all the traffic that passes through. If it is not that fast, put in a third NIC to connect to your computer that will do the Cain stuff.

    Hope this helps. ( Hope I made sense! )
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #15
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Hi Striek. Cain is a Windows only tool so I can't use the Linux solution, but thanks for the information.

    Hi Spyrus . I dont think just sharing would work because not all broadcasts and such would be forwarded (since it would be NATed). Bridging might though. See:

    http://www.microsoft.com/technet/pro.../xpbrdgnt.mspx

    I'll have to try it, thanks.

  6. #16
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by IKnowNot

    A Hub will be half-duplex, cause collisions, but it is cheep and can be deployed easily. The biggest problem is how it will affect network performance. But it will see BOTH sides of the transmission.

    Thanks, I've tried a hub but for some reason the best I can do with it is seeing half on the connection by hooking the main line in to the uplink, connecting the phone into the port thats tied to it (not sure what to call it) and hooking my sniffer to one of the normal ports on the hub. If I hook it up any other way the phone can't find the server.

  7. #17
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Oops. Missed the Cain part.

    Windows is capable of interface bonding as well. It is also known as link aggregation. It is mainly used, as I said, to increase bandwidth, however it will accomplish what you need. You would need third-party trunking software installed. Two possibilities are Sun Trunking Software or Nic Express. Sun Trunking Software has a $1000 price tag, so I doubt it will be good for your tutorial. Falconstor does offer a trial version of Nic Express though.

    I'm thinking some sort of trunking software would do the trick with a tap. I'm not sure if bridging could do it. You could possible set something up where nic1 and nic2 are both bridged to nic3, but most users would be unable to accomplish this. I'm not even sure if it's possible. That may not work either.

    So I have two solutions for you... some kinf of trunking/link aggregation/bonding software, which will allow the traffic to be sniffed in real time, or stream reassembly software which will reassemble a single stream from two capture files.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  8. #18
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    again I am confused. You have a hub with a phone jack?

    Yes, you may need to use the up-link side, or use a crossover cable ( damn, is that the name? I can't remember, I'm way drunk )

    But the hub still should show you both sides of the connections.

    Just a guess here ... you have DSL? You connect to the DSL modem via ethernet.

    You would place the hub between the normally connected computer and the modem, the modem would be connected to the hub either via a crossover cable or “ uplink”
    The other computers would connect via the normal ethernet connections.

    The only problem I have heard of is when mixing 10, 10/100, and 100 M ethernet cards.
    I have heard of some 10/100 hubs that would negotiate differently causing lost data.

    If this is your situation make sure all can negotiate to the same speed. You said the hub is 10MB so if all the NICs are either 10MB or 10/100 they SHOULD negotiate to 10MB. Make sure they are all compatible, or force the hardware to do so.

    I'm not sure if bridging could do it. You could possible set something up where nic1 and nic2 are both bridged to nic3
    No, NIC1 and NIC2 would form the bridge, have no IP address, NIC3 would have a private address to access the tcpdump files that the box captured.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #19
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I have a VOIP phone that hooks to ethernet. It may not be able to negotiate down to 10Mbit.

  10. #20
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    If you have a laptop with two NICs you can set up a MAC bridge and that works also, better yet you get both sides of the conversation. More details here:

    http://www.microsoft.com/technet/community...guy/cg0102.mspx

    Just tested it and it works great.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides