Re: [Nolug] Packet sniffing on switched network

From: Shannon Roddy <sroddy_at_gmail.com>
Date: Fri, 1 Feb 2008 13:14:02 -0600
Message-ID: <8d48b6ba0802011114l45df96ebobe19516e13970629@mail.gmail.com>

On Feb 1, 2008 11:01 AM, Chris Jones <techmaster@gmail.com> wrote:
> I have a client whose internet is running very slowly. I suspect that
> there's a lot of traffic coming from somewhere, so I need to sniff the
> traffic to figure out where it's coming/going. Problem is, this is a
> switched network.
>
> The network is a fairly typical setup, going like this:
> internet -> dsl modem -> cisco pix -> linksys switch -> LAN

I don't remember, but PIX may be able to do a monitor port. Is the
linksys 100% unmanaged?

If you follow the advice from others about "cheap hubs" just make sure
what you get is *really* a hub and not an inexpensive switch.

Other than that, I see two solutions, as others have suggested.

   - linux/*BSD box acting as a bridge with Wireshark (FKA Ethereal)
inline between the PIX and the linksys switch. Privacy concerns exist
here depending on te environment you are doing this in.
   - you can also arp poison the network specifically for the default
gateway address, but as others said, not best on production networks
unless you have no alternative or your intentions are nasty. ;-)

My $DAYJOB requires me to do lots of this stuff, so if you have
further questions feel free.

-Shannon

>
> I can't find a way to get this linksys to go promiscuous, so I'm thinking
> maybe I could set up some kind of machine with two nic's, and have it
> forward all traffic from one nic to the other, and have the machine just
> analyze all traffic as it passes through. Not sure if that's the best
> route, or maybe one of you guys have run across a better option? If that is
> the best way to go, does anyone know of a good free product to do this? Or
> maybe I can somehow use SNMP to pull this info out of the pix? Any
> suggestions?
___________________
Nolug mailing list
nolug@nolug.org
Received on 02/01/08

This archive was generated by hypermail 2.2.0 : 12/19/08 EST