Ethereal gateway setup
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Ethereal gateway setup

  1. #1
    Junior Member
    Join Date
    Nov 2002
    Posts
    21

    Ethereal gateway setup

    Hi, I need to analyse some traffic that occurs during windows xp machine startup and network authentication. I figured that the easiest way to do that would be to use another machine as a gateway (with 2 network cards) to sit between the machine I need to analyze and the network. I have never done anything like this though, so is there a write up about this some place? Basically, I would like no intervention from the gateway machine, so that it would be transparent(or as close to transparent as possible, so as not to change anyhting) to the machine I need to observe and the network environment.

    Would I just do internet connection sharing on the middle box? Or is there a better way? and is there a way to avoid the machine that I am observing from having a NAT (translated address)?

    Thanks,
    RMSe17

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ethereal is utterly non-obtrusive... It's a passive sniffer... Put a hub in or span a switch port between the source and the ethereal machine and voila.... You have your data.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    No offence but I cannot help and wonder why networking newbies always try to use the most complicated and difficult route when the answer is in fact dead simple..

    TS is absolutely right.. Looking at your other posts about switches I recommend using a HUB.. Simplest, easiest solution that works like a charm..

    K.I.S.S. (Keep It Simple, Stupid)
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Junior Member
    Join Date
    Nov 2002
    Posts
    21
    Do you mean sticking a hub in between the machine I need to analyze and the rest of the network, and then connect the ethereal box to it as well, sorta like making a T ? And that will give me everything so I don't need to put the ethereal box as a gateway?

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You're _really_ new to this aren't you.....

    You are absolutely correct....

    But I have a word of warning..... In more than one case I have come across "Hubs" that have "Hub" written on them and the box but when you actually fire that sucker up it is actually a switch so you can't see anything except the broadcasts. If you aren't aware that can occur then you can waste an awful lot of time troubleshooting your install of WinPCap and Ethereal when you really don't need to.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Banned
    Join Date
    Jun 2005
    Posts
    445
    I happen to enjoy making things needlessly complicated... It keeps my housemates from being able to use my systems.

    But yeah... Use a hub.

    RMSe17:
    Code:
    Ethereal Machine ----------|
                                |
                                |-------Hub-----Network-------Internet
                                |
    Machine to be observed---|
    Just pick up a cheapass 15-20 dollar hub. Go to Wal-Mart or something.

  7. #7
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Great post everyone. Yeah I would use a packet sniffer with a hub to see what is being transmitted across the network and so true about the hub thing. there are several different products out there that do a great job at packet sniffing so google it and try some out. What are you looking for? There may be a better tool out there to find what you are look to see.
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  8. #8
    Junior Member
    Join Date
    Nov 2002
    Posts
    21
    OK, so after trying 4 "hubs" and not getting anything but DHCP requests and IGMP V2 membership Reports.. the 5th hub sees stuff.

    Thanks to everyone,
    RMSe17

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    So... What did we learn?

    1. Manufacturers of hubs and switches don't know the difference between the two.
    2. Not all hubs that have hub written on them or the box are hubs.
    3. Ask your local store employee if "this hub is really a hub" and he won't know what you are talking about.
    4. Never trust hardware when you are using well tested and reviewed software.....

    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Hahah yeah, finding an actual plain HUB these days ain't always easy!
    A while ago I was on a small carribean island doing an managed IDS install for a client of ours and had to scramble to find two hubs (after it turned out that switches we were told would do port mirroring did not). We (collegue and I) had to do all the little computer shops on the island; conversation usually went like this:

    us- Hi, we need two 4/8 ports hubs.
    shop- Here I have these...
    us- These are swithes, not hubs!
    shop- Well they're like hubs but better!
    us- But we need HUBS!
    shop- Why? Hubs are dumb!
    us- WE KNOW!! That's what we want!!!
    shop- Sorry don't have any.

    Heh...

    We finally found a place that had to *old* 8 port beige metal boxes hubs, which they sold for 50 box each!! Hahah lol... (we weren't the ones paying). These things must have been 10 years old!



    Oh, BTW, you shouldn't run ethereal live as a privileged user: two many security issues in the protocol dissectors.
    Capture with tcpdump/windump (tcpdump -nettts 1500 -i ethX -w somefile.pcap) as root, then analyse the pcap file by runnning ethereal as an unpriviledge user. Ethereal might still screw you but at least it won't compromise your whole box...



    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides