sniffing network traffic

[ommy]

hi everyone,
here I am to learn again and again again .. Since I feel a little awkward now, for the reason that I have never contributed to this community other then asking for suggestions and recommendations. Lazy dog :P

Anyways, experiencing some problem. Our corporate 2 mbps link to our head office is choked. Net work load is just fine, the way it used to be. I want to know that how can I sniff the network traffic from my link (backbone/core switch) to our head office. I need to monitor that what traffic is actually leaving from my regional link to the network backbone? I am already 'googling' it..but just wanted to share it with my community. Any suggestions on this would be appreciated.

Thanks anyways for bearing me all along.

Just one more thing..We are using CISCO switches and routers. So the environment is IOS based. Can it be a help, if i attatch my laptop to the console and try to sniff the traffic using some tool?

[SirDice]

You could use a SPAN or a Remote SPAN port...

The console port is not a network port so you're not able to "sniff" the traffic the traditional way.. You can use debug commands to get the info but the console port is usually too slow for this..

[TechGrunt]

As with all things, there are a couple of ways you could approach this - most depending upon how your network is setup (and you are the best judge of suitability in that regard), I throw these for consideration.
1. If you are looking at reducing your backbone usage to a reasonable amount, first thing you should do is obtain an application that can measure bandwidth utilisation (SolarWinds is one I could recommend, it is fairly costly however, so it greatly depends upon your budget). This has the benefit of:
- giving you a metric to measure how well you are progressing with the problem (ie utilisation was at 90% last week, it is now down to 50% etc)
- giving you a metric that is easy to convey to management or customer groups effected by the problem (ie "What are you doing about this problem?"...."Well I have improved it by x%")

2. Now, looking at getting to the cause of the problem. I assume that the usage is not down to normal use of your network expanding beyond capacity? From you post I assume that this is sudden and not a normal situation. If so, here are some options for you:
a. If you network doesn't have a large number of nodes an easy way to determine the problem would be to use a network monitoring tool that can tell you the output of the NIC card belonging to the PC you are monitoring. In this case, you would need to run it for a couple of days to obtain a baseline and look for the workstation/server that is produce a above normal amount of traffice. Once again, I can recommend SolarWinds for this purpose.
b. If you network is large (which would make the above solution unviable), a dedicated sniffing tool would be the way to go. I can recommend Network Associates Sniffer. I have seen this deployed on a dual-nic laptop to affected areas to obtain traffic for analysis. Note, however, from what I have seen of it, it is not the type of application you can pick up and operate easily

Hope this helps

[XTC46]

Solarwinds is a great toolkit. Others that i use are Network Sniffer (also costly) or ethereal (free!!!)

[HTRegz]

Hey Hey,

What are the RMON capabilities of the devices in your network? (This may take some research). See http://www.cisco.com/univercd/cc/td/...rt3/fcf016.htm for more information. The Matrix, Top Host-N and Hosts tables may be of use to you.


While, SPAN or RSPAN (or even VSPAN depending on your setup) is the logical choice for sniffing, you don't know where your bottleneck is.. Because you don't know where it is, mirroring some or all of your ports may provide further bottlenecks and clogs in your network.

Do you have a baseline from the original network install? To give you an idea of what normal network operation is. Have any new applications been installed that would change the bandwidth requirements and did you baseline after that application was installed.

Do you have one large flat network or do you have subnets and vlans.... It could be an overly large amount of broadcasts.

Do you have traffic shapping in place? Do you have Class of Service aware applications or do you set IP Precedence or DSCP (depending on your equipment and setup)... If you are utilizing this (most likely if you have VoIP or Video Conferencing equipment).. do your switches trust the CoS set by the application or override it.. and has someone figured out that they can provide their own CoS value (802.1q compliant NICs) and is using it to hog the bandwidth..

There are many things that you have considered when you have a congestion problem... and throwing in a sniffer might only make the problem worse instead of helping you out.

Peace,
HT

[mmkhan]

Do you have a baseline from the original network install?

how is it possible to takes a baseline of network. I think u are talking about the snapshot of the network in ideal timings.


Thanks

[genXer]

I also had a question along these lines. I am conducting an audit right now and found out the community string for their SNMP - but I wanted to provide the clients more information that would mean something to them about finding out the community strings and how could that weakness be leveraged against them? I think one could use that to setup a sniffer and then sniff traffic for logins, password and the like - but I am not sure that can be done - can it?

Thanks!

[HTRegz]

Originally posted here by mmkhan
how is it possible to takes a baseline of network. I think u are talking about the snapshot of the network in ideal timings.


Thanks

Hey Hey,

Take a look at the CCNP 4 curriculumn sometime.. The entire idea of the first couple chapters is that after you install a network, you establish a baseline so that you have something to compare to in the future when you run into problem.

You document things like traffic utilization, bandwidth usage, device CPU utilization, protocol distribution, traffic flows and error rates..

You do this after you first install the network and then at regular intervals throughout the life o fthe company.. Usually you'd dedicate at least a week to the monitoring..

This way when you have problems you can compare the problem area to it's original values and more easily pinpoint the problem.

peace,
HT

[TechGrunt]

Originally posted here by genXer
I also had a question along these lines. I am conducting an audit right now and found out the community string for their SNMP - but I wanted to provide the clients more information that would mean something to them about finding out the community strings and how could that weakness be leveraged against them? I think one could use that to setup a sniffer and then sniff traffic for logins, password and the like - but I am not sure that can be done - can it?

Thanks!

Hi genXer
Sniffing traffic for login information really depends upon the type of system they are using. If they are using protocols that transmit the information in clear text (rather unlikely in this day and age I would hope) it is relatively easy to do just be examining the packet data you capture. If they are using a protocol that encrypts the logon process (far more likely) it would depend upon the protocol they were using how easy it would be or if it could be done at all.

If you have managed to obtain the SNMP community strings, a far more meaningful demonstration about how the weakness could be leveraged, is to take control of a network device. If you have the read/write community strings, you can also demonstrate a modification of the device. Not wanting to push a particular vendor (there are many packages just a good or even better than this one), but I have had an experience on a network I was running at the time where a trial version of SolarWinds Network Toolset was downloaded and setup using a non-administrator account (the issue with this fact itself is obvious of course). The community strings were obtained via a tool included with the software and access to network devices was obtained. Depending upon what the scope of your audit is precisely, this could be a good demonstration of the weakness

Hope this helps

[genXer]

Hi genXer
Sniffing traffic for login information really depends upon the type of system they are using. If they are using protocols that transmit the information in clear text (rather unlikely in this day and age I would hope) it is relatively easy to do just be examining the packet data you capture. If they are using a protocol that encrypts the logon process (far more likely) it would depend upon the protocol they were using how easy it would be or if it could be done at all.

If you have managed to obtain the SNMP community strings, a far more meaningful demonstration about how the weakness could be leveraged, is to take control of a network device. If you have the read/write community strings, you can also demonstrate a modification of the device. Not wanting to push a particular vendor (there are many packages just a good or even better than this one), but I have had an experience on a network I was running at the time where a trial version of SolarWinds Network Toolset was downloaded and setup using a non-administrator account (the issue with this fact itself is obvious of course). The community strings were obtained via a tool included with the software and access to network devices was obtained. Depending upon what the scope of your audit is precisely, this could be a good demonstration of the weakness

Hope this helps

Yes - thank you - it does help. I did obtain their community string - I was tipped off by Nessus then just logged into their web management console and some quick searching yielded the strings. I explained this to another auditor and he said, playing devil's advocate - "Well, we're behind the firewall and the network is controlled - how is that an issue?" I explained what you mentioned above in addition to the possibilities of sniffing traffic - he did not think the client would think that to be a big enough issue.

Also - from the web management console, I had the ability to change the community string, recover the server and reboot the server - those things he thought the client would understand. I am just trying to better frame what the risk is to 1) not properly securing the web consoles and 2) what danger or risk there is when a community is found out or is the default of public, private, default, etc. What you posted before helps and anything other information you know of in regards to risk that you could share would be helpful as well. I am also going to hit Google after this post and get to learning myself. Thanks again.