Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sniffer and portable minihubs 2

Status
Not open for further replies.
karkclent

karkclent

MIS
Jan 8, 2001
28
US
Hi all,

Hopefully someone can make sense of this. I was attempting to sniff a network issue on my LAN. I have a Linksys NH1005V2 ( that I wanted to use so I could plug my laptop running Sniffer, in-line with the PC workstation that I wanted to capture packets from.

I plugged my Sniffer laptop into port 1, I plugged the PC workstation into port 2. I plugged the cable that originally plugged into the workstation into the 'Uplink' port. With this configuration, I was able to access all network services normally from both machines, i.e. browse the Internet, Network Neighborhood, printing, etc.

My dilemma is this: my Sniffer only sees BROADCAST traffic. I expected to see all packets coming to and from the PC workstation, since this IS a hub. I've tried manually setting the port speed on each PC to 100Mb or 10Mb Half-Duplex (per techsupport's recommendation), but the results are the same. I was able to sniff and see all packets when I swapped out the Linksys hub for a heftier, bulkier 3com hub, but obviously I'd like to opt for something more compact when I'm out and about.

If this is a case of a vendor not sticking to the IEEE802.3 spec, can anyone recommend any portable, compact minihubs for on the go Sniffer troubleshooting like this?

TIA,
kc
 
Sort by date Sort by votes
kc -

You've run into one of the more frustrating parts of switches and hubs in the retail/consumer market. It seems that some manufacturers' marketing departments have decided that it would be easiest not to confuse the consumer by calling their equipment a 'switch.' Instead, they chose to call it a 'hub' and put switch guts inside to make it easier on the manufacturing process.

The answer to you problem is to keep purchasing 'hubs' until you find one that works (make sure you purchase your 'hub' at a location that allows for returns!).

I've used both the Linksys Etherfast 10/100 5-port Workgroup Hub (EFAH05W) and the Netgear 4 port 10/100 Mbps Dual Speed Hub (DS104). Both of these work great as a 10/100 half-duplex tap for my Sniffer Portable and Sniffer Distributed systems.

Don't trust that my hub models have the same electronics as today's models of the same name, but this should give you a place to start. Good luck!
 
Upvote 0 Downvote
I throw my vote behind the Netgear.. mine has been bounced and tossed around without regard to it's personal safety and has not missed a beat.

I *have had* a few linksys units die.. once, it was 3 in a row but that was months ago and hopefully it was a *blip*.


MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Thanks a lot guys. I will return this Linksys and get the Netgear.

Just for giggles, I had an interesting conversation with Linksys Tech Support regarding this. After a lengthy discussion with the support rep (and much hemming and hawing about "are all the PCs powered on, and the Link LEDs are on?", she came to the ultimate conclusion:

Support Rep: "Sir, you have to contact Technical Support for this Sniffer software, and check to see that it supports Linksys devices."

I politely replied that this could not be the case and that my Sniffer software was non-problematic with other devices.

I asked "Is there a Network Engineer or Hardware Engineer that I could speak with?"

The reply: "Sir, I handle those issues as well." :)

Cheers :)
- kc
 
Upvote 0 Downvote
another example of you get what you pay for.. if you are lucky ;) You will be much happier with the Netgear. There is another *clone* called *Hawk* which the local Fryes was hawking (hehehe).. they worked fine at 10 half.. I dont know how well they worked with 100Mbps.. but at 15 bucks, the price was right.

MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
kc,

This is unbelievable if true. I've gone to great pains to find a hub for exactly the reason you mention. That is why I've standardized on the same model you did - the LinSys NH1005, V2. This is the only hub I've been able to find at the local stores like Fry's, that is a 10/100 hub as opposed to a 10 Mb only. I must admit, I don't do a lot of Sniffing myself, I mostly look at tracefiles - post capture. It's entirely possible you're right.

I have a very bad feeling about this.

Chris
 
Upvote 0 Downvote
Chris,

I have the same pains, which is why I'm going with the Netgear. I have wasted too much time twiddling with settings on my laptop, thinking the fault was with my hardware. Just goes to show, a hub isn't necessarily a hub when it comes to Marketing folks and their perception of the "low-end", SOHO buyer. Can someone please give them a primer on the OSI model??? ;)

BTW, I saw the cheaper 10Mb Hawking Technologies hub for about $15 at Fry's too. But I need the 100Mb for my LAN, so looks like I'll have to fork over the $40-$50 for the Netgear.

-kc
 
Upvote 0 Downvote
cpete... it's very true.. one of them, I *think* it's the linksys is the SAME hardware if you look at the 10/100 "hub" vs the 10/100 "switch" the only difference is the firmaware on the hub doesnt support the SNMP calls for monitoring. Laura Chappell had some stories about this very thing in her Cybercrime classes. And it was Linksys that gave her headaches.

I find the cheapo hubs to very useful around the lab for extending lines, making up quick networks and so on. I have a couple of them here for this. And they are QUIETER then the 2900s with their fans zinging away.

MikeS
Find me at
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu
 
Upvote 0 Downvote
Hi chaps,

This tip is a little more expensive but allows you much greater flexibility.

A copper tap will cost you around £500 but will allow you to monitor both full and half duplex links.

Traditional with Sniffer you had to by a full duplex pod to do full duplex Ethernet, now Sniffer can do it with 2 network cards

Other advantages are,
Physical layer errors are not filtered out (if your NIC will allow you to see them)
Link does not go down if the power is cut to the tap
Half and full duplex supported.

I prefer Net Optics taps.

Cheers,


Steve.
 
Upvote 0 Downvote
I'm mad at Linksys![thumbsdown]

I just got a new Linksys EFAH05W ver 3 and it is NOT A HUB. It is a stinking switch. Do not get a Linksys if you need a HUB.

Patrick
 
Upvote 0 Downvote
NetGear rocks when it comes to a hub for capturing packets! Their DS (Dual Speed) models have been great for doing packet captures. The only thing is you have to make sure that you are at the same speed as the devices sending the packets.

On another note with those hubs, they run on 5 volts DC. I have thought about pulling that 5 volts off of one of the disk drive connectors so that I can have an integrated hub and capture device. I am currently using one of these e-Cube computers. Small form factor, with a handle on the top. Works great!

Mike
 
Upvote 0 Downvote
Hello all. I want to implement a sniffer on our network that consists of 8 3Com switches, connected via a cisco 2500 router to frame relay. I want to see the traffic coming to and from the router. The way I see it is I can take a 10/100 MBps Hub (I have a Netgear DS104) and connect to it one cable from one of the switches (right now it goes to the router) a cable from the router and a connection from a workstation that will have a sniffer software running on it.
Has anyone ever attempted such a scheme and are there any problems with this setup?

 
Upvote 0 Downvote
The primary issues:

- Is the Netgear a trued shared media hub or is it a switch that is labeled as a mini-hub? Just make sure its a hub.

- Is the link half duplex or full duplex? If it's half duplex there should be no problem. If it's full duplex you'll need to get a 10/100 copper full duplex tap that goes inline.

I you use the full duplex tap you'll need either a full duplex analyzer (two monitor cards that both receive and analyzer software that binds together the results). If you have a standard half duplex monitor card the most effective way to bind the two side of the conversation together (full duplex taps have two outputs - one for each side of the conversation) is to get a cheap used workgroup switch (e.g. Cisco 2924). Connect the two tap outpuyts, set up a SPAN session with those as the source and connect your analyzer to the destination port.

Owen O'Neill
Datacom Systems Inc.
Northeastern SE
 
Upvote 0 Downvote
Thanks for the comments. I am certain that the Netgear is a hub and not a switch.
But I am not sure which link has to be half-duplex, is it the one going to the router?

 
Upvote 0 Downvote
I use the NEtgear Ds series of products since I find that they are true dual media hubs.

'Making things work better; bit by bit.'
 
Upvote 0 Downvote
Your described setup will work with the 3Com switch to router conenction but ONLY if the switch to router conenction is half duplex. If it's full duplex you can't use the hub because it's shared media hub. If you use a minihub that is actually really a switch, as so many of them are, AND you have a full duplex connection from router to the 3Com switch (which is typical due to bandwidth requirements) you could connect the devices in the manner you describe but there's a problem: all the the workstation running the Sniffer software will see is broadcast traffic or multicast traffic that includes that switch as a part of the multicast group. It's inherent in full duplex that only two parties participate in the conversation - it doesn't work on a shared media hub.

If you could pick up a cheap used workgroup switch with a SPAN port capability (I think a Cisco 2924 might work), you can conenct the devices through the Cisco switch and SPAN those ports to the port connected to the Sniffer. The only real shortcoming of that method is that Laye 1 and Layer 2 errors are not visible and you can't se 802.1Q trunking information (VLAN tags). Teh only way to se that is with a tap.

Owen O'Neill
Datacom Systems Inc.
Northeastern SE
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shedlord2
  • Locked
  • Question
Best (simple) sniffer to use for detecting illegal filesharing on a network?
Replies
1
Views
156
fortunat
fortunat
LostboyTNT
  • Locked
  • Question
sniffer S4000 eg2s restore media?
Replies
1
Views
120
OssGuy
OssGuy
TTops
  • Locked
  • Question
SQL and Exchange on
Replies
1
Views
126
TTops
TTops
edwintek
  • Locked
  • Question
How to stop Sniffer Pro capture on packet count?
Replies
0
Views
70
edwintek
edwintek
pussmunky
  • Locked
  • Question
IV Sniffer
Replies
1
Views
84
AZeemeri
AZeemeri

Part and Inventory Search

Sponsor

Back
Top