|
|
|||||||
| Register | Search | Today's Posts | Mark Forums Read |
 |
|
|
LinkBack | Thread Tools | Display Modes |
08-11-2001
|
#1 (permalink) |
|
Posts: n/a
|
sniffers-prom-lucient
here is a question...
im running ethereal with winpcap installed and im trying to view traffic on a switch im using this http://www.phenoelit.de/arpoc/ to intercet packets... but when i run it all that happens is that the network seems to come to a crawl... and the only packets i can see are the packets that the WCI program is sending out... it on my own switch.. and i have configured the routes.txt |
|
|
08-23-2001
|
#3 (permalink) |
|
Posts: n/a
|
name resolution on?
I had same problems with just a LAN and Linksys router to cable modem. I figured out turning off Network Name Resolution fixes this. Probly that when a packet is sent the program does a reverse DNS on the ip causeing you to hit your Internet DNS server hundreds of times hence brining the network to a crawl. Hope this helps.
|
|
|
|
08-27-2001
|
#4 (permalink) |
|
Posts: n/a
|
ARP flooding...
That attack FLOODS the switch wih ARP packets. I'm not sure ho the whole thing works but in the end ALL of thepackets aparently ROUTE through the attackin machine. That in itself would certainly slow trafic as yor mahcine is NO going to be as good at swithcing packets as the dedicated hardware. Plus you've flooded the network with traffic causing the switch to fail in an unnatural way! This is "not cool". Some switches will fail into a HUB type mode as well and allow sniffing. Basically you're attacking the network and flooding it with unnecessary packets. The multiple DNS requests for each new hosts your sniffer sees will also allow that inerface to be easily found by simply pumping a few fake hosts out there to see whch interface queries the DNS server for them. You might want to be careful about doing that sort of thing as it's NOT something any network administrator is likely to find as benign....
Oh, packet sniffing on WIN2K is pretty easy. Look up Etherreal - they have a WIN32 version and the instrucitons will tell you where to go in order to find the packet sniffing library that's needed to go promiscous on NT. Note that on a switch, without the monkey business you've already been trying, that you will NOT see any packets but those destined for YOU. That's part of how a switch saves bandwidth and supposedly promotes security (cough)... |
|
|
|
08-28-2001
|
#6 (permalink) |
|
Posts: n/a
|
well here is more info i forgot to put in
I am using wincap. And i do have ethereal set to turn off
dns reverse lookups. I also start the ethereal capture. then i run wci during the capture i can see packets but only from my own machine. Does wincap put the nic card into promiscous mode? I thought that is what wincap was for? I useing a 3com 8 port 10/100 full duplex switch office connect. linked via uplink port to a ugate maxgate 3000 dsl router |
|
|
|
08-29-2001
|
#7 (permalink) |
|
Posts: n/a
|
Switch = Per Port Isolation
On a switch, you shouldn't expect to only see the following types of traffic:
- Packets from your computer - Packets to your computer - Broadcast packets (typically network maintenance type stuff in there) You won't see any of the routine traffic of any other device on any other port (unless your machine is having a conversation directly with a device on another port). That's the nature of a switch. -Toomer |
|
|
|
08-29-2001
|
#8 (permalink) |
|
Posts: n/a
|
Put switch port in "monitor" mode
Most switches support a "monitor" mode that allows all traffic (or traffice from specific ports) to be sent a specific port for sniffing. So, essentialy, this particular port becomes like a hub port.
If your switch has a management interface you can usually turn this feature on. Charlie |
|
|
|
08-30-2001
|
#10 (permalink) |
|
Posts: n/a
|
may be more than that
It's been discussed in other threads but... The card you've got may NOT be capable of going fully promiscuous (sp?). Depending on what you read it's either a firmware issue or a driver issue. I'm no sure I've seen a post yet form someone with a LUCENT card who's been able to sniff more than their own traffic. If they did I believe they were using an older version of the firmware than what's currently available on the WEB site. I've heard that older versions enabled this ability but any time I've been given revision numbers or dates for the code it's been older than what I've found for download out there.
IF someone has the older code, and I know someone must, for the Lucent Gold cards please send it to me and I'll mirror it on my site for download. Um, after I confirm it works for this purpose though :-) In short - it may not be (just) the switch that's causing problems but it may (also) be your card. Wireless vendors don't want you sniffing. The Prism based cards CAN be used for this but NOT in Windows since the drivers apparently prevent it. In Linux the ability has been restored with patches that are available. That means two cards and two OS unless a firmware revision that works for the Lucent can be found... |
|
|
Linear Mode
