RE: [Nolug] Packet sniffing on switched network

You could also through a hub between the switch and pix and capture that
way. Hubs are sniffer's friend :)

-----Original Message-----
From: owner-nolug@covington.redfishnetworks.com
[mailto:owner-nolug@covington.redfishnetworks.com] On Behalf Of Dennis Bourn
Sent: Friday, February 01, 2008 11:17 AM
To: nolug@nolug.org
Subject: Re: [Nolug] Packet sniffing on switched network

Dsniff can use arp poisoning to sniff the gateway on a switched lan,..
but I wouldnt use it on a production network.

Next in line would be an OpenBSD box set up as a bridge. similar to this
setup,.. http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html

but dont worry about the firewalling,.. youll just use it to sniff
either interface. I made one on a WRAP a while back,.. which worked fine
on our cable modem.

Chris Jones wrote:
> I have a client whose internet is running very slowly. I suspect that
> there's a lot of traffic coming from somewhere, so I need to sniff the
> traffic to figure out where it's coming/going. Problem is, this is a
> switched network.
>
> The network is a fairly typical setup, going like this:
> internet -> dsl modem -> cisco pix -> linksys switch -> LAN
>
> I can't find a way to get this linksys to go promiscuous, so I'm
> thinking maybe I could set up some kind of machine with two nic's, and
> have it forward all traffic from one nic to the other, and have the
> machine just analyze all traffic as it passes through. Not sure if
> that's the best route, or maybe one of you guys have run across a
> better option? If that is the best way to go, does anyone know of a
> good free product to do this? Or maybe I can somehow use SNMP to pull
> this info out of the pix? Any suggestions?

___________________
Nolug mailing list
nolug@nolug.org

___________________
Nolug mailing list
nolug@nolug.org
Received on 02/01/08