Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FTP / HTTP Sniffing Help Needed!

Status
Not open for further replies.
suburbia4200

suburbia4200

Programmer
Mar 1, 2003
4
CA
Hey all, I have a need to know mainly all of the FTP traffic coming in to my network, as well as the http traffic coming into the network, which will be minimal, yet still needed to be sniffed and recorded. I purchased a copy of Sniffer Pro and have worked with the program for a few days now, although I am unsure if I am ready to do this right or not yet;

I'm not sure if you are familiar with Sniffer Pro, although it comes with default settings, which I have left intact. At this point, I have started the software and instructed it to "Start Sniffing", have done some work on the network and checked to see that it had been actually sniffing, although I have not been able to do an FTP login from outside of the network yet; I have the internet coming in through a router, and then shared from there, I will be port forwarding both port 21 and 80 to the system we need to record all incoming traffic for (logins, dir listings, file creation, overwrites, etc).

An important FTP session is to commence Monday evening, at which time our network will be completely silent (computers disconnected from the network) while this ftp session is in place, so as not to create unnecessary packets, please let me know if I have set this "sniffing system" up correctly, and if how it is currently set up, will sniff all FTP & HTTP packets needed,
 
Sort by date Sort by votes
The default for sniffer is to catch everything. But, you are more then likely on a switched network? If so, then you have to be on a mirror/spanned port that can see the FTP target/destination, between the firewall/router to the internet, or on a hub inserted into the link between the FTP source/destination and the switch port. The issue is that without any of thge above, you will see only traffic destined for your switch port and braodcast traffic.

MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
I am new to the "networking world" a bit, which way would be easier to setup so that I can sniff traffic, if all I'm going to get is broadcast traffic as it stands now? If I put a hub between the router and the server that is being ftp'd into, will the hub mess up IP addressing? Thanks guys,
 
Upvote 0 Downvote
No, it will not mess up the IP address. IP is layer three and hub is layer two. First you need to determine if you are on a hub or switch. Then you need to determine where and why you want to capture the traffic. Are you just verifying the ftp traffic? Are you looking for something else?

If you are on a switch, then is it a switch that can be mirrored? If you can, then you should mirror the traffic from the uplink or the server to the port with the sniffer on it.

Let's leave it at that right now and get back to me.

 
Upvote 0 Downvote
Whoheard, the switch I am using is a "Netopia R910N", connected directly to FTP unit, I am not sure if I can do port mirroring on this switch, let me know if you know; Do you think I could simply put a hub in between switch and FTP unit, and then connect sniffing PC to the same hub? Thanks in advance, Nick
 
Upvote 0 Downvote
Hi Nick,
Not sure about your switch - see your switch documentation.

The only disadvantage of sometimes putting a hub between your switch and router, or between any 2 devices, is that as hubs can only transmit half duplex traffic, this may change the connection from full duplex to half duplex.
This said you shouldn't have any issues with putting a hub in-line, as this very rarely has a major inpact on a point-to-point connection. Most old routers are half duplex anyway, even some of the older Cisco versions.
Alf


 
Upvote 0 Downvote
OK, I successfully logged all http and ftp traffic by setting up filters for both, I created 2 log files from 2 different FTP sessions, I looked through them and could make out login details and RETR filenames, I mainly need to be able to know the data being written to files on the ftp server, by going through this packet log; could anyone out there be of assistance to a bit of a newbie on this? thanks in advance all!

- Suburbia
 
Upvote 0 Downvote
I've just put an ftp presentation together for my user group meeting. you can get it in my presentation section. Enjoy

'Making things work better; bit by bit.'
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ladnir
  • Locked
  • Question
Sniffing on my lan HELP
Replies
2
Views
143
OssGuy
OssGuy
BJZeak
  • Locked
  • Question
Please help with Internet Connect issue
Replies
4
Views
143
BJZeak
BJZeak
mattm31
  • Locked
  • Question
Need help with strange problem
Replies
0
Views
101
mattm31
mattm31
wfischer
  • Locked
  • Question
Snifferbook / Wanbook E1 module needed
Replies
0
Views
42
wfischer
wfischer
BCrime
  • Locked
  • Question
Sniffing for Web Radio ?
Replies
2
Views
62
AZeemeri
AZeemeri

Part and Inventory Search

Sponsor

Back
Top