Using a sniffer with a Switch

[egolds]

I have a problem on my network that some application/virus/ etc. is creating thousands of connections through my firewall, maxing out the connections and droppin any additional connections. I have about 30 computers who are set up with the firewall as their gateway.

I need to try and find out where all the connections are coming from so i know a sniffer would do the job, except all the computers, with the exception of a small few, are connected to switches. As I understand it you cannot set up a sniffer on a switched network since the packets will flow directly from the client to the firewall.

This said, what are the options available to figure out where these connections are coming from?

Thanks in advance.

 

[gmeg1]

Hi, i'm not so expert but I think you can try in 2 ways:
don't connect the firewall directly to the switch but put an hub between they. So you can have your pc's connected to the switch, the switch connected to the hub and the hub to the firewall. So you can use one of the other ports of the hub to capture all the traffic going from the switch to the hub (and then to the firewall) and examine it.
the other way is: if you have a switch with the mirroring port functionality you can design one port (the one connected to the firewall) to be mirrored so all the traffic going to and/or from that port is forwarder from the switch also to the mirroring port. So you can attach a sniffing device to this port (i.e: firewall connected to the port n. x, you can configure the switch to mirror all the traffic from/to the x port to be mirrored on the port y). Then you can attacch a sniffer on the y port and examine the traffic flowing trough the x port).
I hope this help you. Sorry for my mistakes but I'm not very practicse with english language.

 

[Ntr0P]

You firewall's logs may give you an indication to the culprit as well. Otherwise, as gmeg1 stated, the hub between the firewall and the switch is the best way to use the sniffer.

 

[egolds]

The hub is working great I can see all the traffic. Thanks.

Anyone know a good packet sniffer that will allow me to see the information sorted by source/dest IP rather than just in time sequence?

Thanks again.

 

[SgtB]

http://www.ethereal.com

Its a great sniffer, and it runs on both *nix and Windows platforms. Oh yeah....its free too. ________________________________________
Check out

http://www.security-forums.com

 

[bierhunter]

Using a hub is a simple and quick solution that works well.

But, you can connect a sniffer to a switch depending upon what type of switch you have. If it's Cisco, you can configure a SPAN port or configure a Port Monitor (depending upon the OS) which will then make that port receive a copy of all traffic. But if you're not familiar with the configuration of that, then the hub works great.

The advantage of configuring a port for monitoring is that there is no physical topology change. It can be turned on and off at will. Also, depending upon the switch you have, you can set it up for remote port monitoring, monitor only specific VLANs etc. Very handy.

 

[egolds]

A little off topic but does anyone know if the 3Com SuperStack II can do either of the above suggestions and if so how?

I'll also ask on the 3com Forum...again thanks in advance for all your help.