Packet Sniffing in a Switched Enviroment 1

[Bedpan]

Hopefully a quick question...

How does one go about packet sniffing in a Switched enviroment? I suspect that you would need something on the switch for this to happen however I am not sure what this would be. Or is there a way from a desktop to do this?

Cheers,

Mike

 

[jimbopalmer]

many high end switches allow all traffic on one port to be mirrored to another port so it can be logged or sniffed, different manufacturers call it different things, Nortel calls it port mirroring

I tried to remain child-like, all I acheived was childish.

 

[ElijahBaley]

Just out of curiosity, can you have all ports mirrored to a 'monitored' port or is it 1-2-1?

THX



..EB (Plainclothesman)

 

[jimbopalmer]

On a Nortel 450 there are several modes but they are all one to one (addresses are MAC addresses)
Monitor all traffic received by Port X
Monitor all traffic transmitted by Port X
Monitor all traffic received and transmitted by Port X
Monitor all traffic received by Port X or transmitted by port Y
Monitor all traffic received by Port X destined for port Y
Monitor all traffic received/transmitted by Port X and received/transmitted by port Y
Monitor all traffic transmitted by Address A
Monitor all traffic received by Address A
Monitor all traffic received or transmitted by Address A
Monitor all traffic transmitted by Address A to Address B
Monitor all traffic between Address A and Address B

My first thought was all ports mirrored is a hub, but I am told some cisco switches have such a mode, that drops traffic when it exceeds what can be sent down one port.

I tried to remain child-like, all I acheived was childish.

 

[Bedpan]

many thanks jimbo... Will have to see what my Dlink supports.

Cheers,

Mike

 

[Serbtastic]

What Dlink switch do you have? You have to go to a pretty high end (read expen$ive) switch to get the port spanning feature.

 

[sdeakin]

If your switch does not support mirroring or spanning there may be other options - on inexpensive switches I use a suite of tools called 'dsniff'. These allow you to poison or flood the arp cache of the switch, so it acts like a hub or forwards traffic to your machine. It it likely to impact the performance of the switch, so use it wisely.

http://www.monkey.org/~dugsong/dsniff/

Scott

 

[johnny99]

I agree with everything written about mirror of all traffic to a mirror port. This works fine in the beginning.

Our coreswitch is a Extreme Networks BlackDiamond, and it supports mirror of all traffic to a port.

A problem I have (or to be correct, made me stop to try to do it) is that we have around 60 1Gb/s ports (and 40 100 Mb/s) on our core switch. I could put a 10Gb/s ethernet port in the switch, but where can you buy a monitor that can handle 10 Gb/s traffic? And if someone can make it, it will be custom made and the price will almost look like the total price of the Apollo project.

So what we do is basicly one time every 3 month make a sample of all traffic over a 30 min period and use that for stats.