# Sniff! Sniff! Network.. View Packets.. howto?

## slurpyx

Guys, we have a somewhat huge internal network..

how can i sniff packets from it? lets say.. i want to see whats going thru 10.x.x.2 computer/server..

i tried to emerge angst.. but how do i use it  :Embarassed: 

----------

## keyson

 *Quote:*   

> Guys, we have a somewhat huge internal network..

 

Then i think you are using switches for the workstations. Then you can forget this.

You can only snoop traffic on level 1, (Physical) where there are connections

between all computers. ut when using switches you 'route' traffic by the mac

adresses. So everything that goes between   10.x.x.2 computer/server.. is only

going in the port from the computer and out the port to the server.

But if you are using hub's then it is ok. But this is not so common as it gives

a low securety for snooping and a bad performance on larger networks.

----------

## ph03n1x

You can still sniff on switched networks with mac-spoofing. Although it's a bit dangerous cause you might break the spoofed computers connection. And if the admin catches you he will for sure kick you in the nuts!  :Twisted Evil:   think of that

----------

## slurpyx

the admin is with me on this.. its just that.. we want to monitor things.. esp.. when looking at actual traffic going.. 

how do i do this? ethereal? does the opensource community provide a terminal based?

Tnx!

----------

## keyson

Yes, ethereal is a good tool to examin network traffic.

The main site is http://www.ethereal.com/

And for a quick and breaf description

http://www.ethereal.com/docs/eug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs

If you have a mixed network this is runnable on windows also. So you dont need to

leran two programs.

The Tethereal is included in ethereal and i think it is the terminal (console) type

program.

----------

## kashani

Ack, no mac-spoofing! You can do that sort of thing on your home LAN, but you're going to cause some issues at work. Adding hubs into the network will work, but you're going to drop your theoretical throughput by 70-90%. Let us assume that this is your network.

```

server01                     server02

      |                          |

      --------- core-switch01 ------------ router/firewall ----------> Internet

           |                        |

     dept-switch01            dept-switch02

           |                        |

    accounting desktops       sales desktops

```

Might be a bit more complex that that, but you get the general idea. If the core switch is a manageable switch you can usually setup a monitoring port (or SPAN port if you're speaking Cisco) which has the switch clone all packets from all ports onto a single interface or some subset of interfaces like certain vlans, etc. You can then plug a your IDS/Sniffer into that port... I recommend having two interfaces on your IDS, one for management and one for inspecting packets. Plug the second interface into your monitoring port and you're pretty much set.

There are some limitations to this. In the example above you'd see traffic from the clients to the servers, the servers to each other, and any traffic going in and out of the internet. However you wouldn't see traffic from one accounting desktop to another. You can add monitoring ports to the other switches and add another interface to your IDS or sniffer, but it gets messy quickly. In the past I've usually moved all inter switch connections to a single core switch and put the important servers on same the switch as well. That's usually the most efficient design for an office LAN and makes sniffing and monitoring traffic a bit easier as well.

If your core switch is not manageable, you're pretty much out of luck. I would recommend getting a real switch for the core at the very least one that support SNMP so you can do some graphs of network traffic with MRTG, Cacti, etc. It's handy for troubleshooting and long term trending.

kashani

----------

## geofflevy

kashani has a good idea. If you go the SPAN route you have to rember you may lose data. Lets say your sniffing 3 servers all working at 50Mbs all going to your span port... your span port has a capacity of lets say 100Mbs. Your running 50Mbs over your span ports max amount. You will have packet loss. Just to keep that in mind.

Another route to take if you dont have SPAN capabilitys is implamenting a bridge. Bridges are great becuase they work on a very low layer based on MAC address's. Totaly transparent. Basicly through 3 NICs onto you machine, two for the bridge and one for management. Sniff using TCP dump or ethereal on the bridge... maybe even snort of snort-inline to build a NIDS or NIPS. The downside of the bridge is if the bridge does down you break that network segment. There are ways to make it fault tollerent using something called Spanning Tree Protocol but thats getting expensive and more complex.

To build a bridge follow the following link:

http://bridge.sourceforge.net/howto.html

TCP Dump:

http://bridge.sourceforge.net/howto.html

Snort:

www.snort.org

----------

