Not wanting to install a windows box outside the firewall is perfectly understandable.
What you might want to do is to create a passive capture box. Try using Linux, remove all services from the host, modify an old nic with external aui connector to physically disable data transmit and use that box to capture the data on the switch outside the firewall. This is the same approach as when modding a nic to become an (layer2 and above) undetectable capture device. ----- Original Message ----- From: W. Chamberlain To: [EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 12:15 AM Subject: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /Sniffing without TCP/IP on Windows? I have been using Ethereal off and on for a year or so now on our relatively small network, and I love it. Perhaps one of the most useful places to sniff, however, is outside of the firewall. Unfortunately, our IP address range is frequently scanned by hackers, and I know better than to plug it in directly. Does anyone know if there is a way to use Ethereal without installing Microsoft's TCP/IP protocol? The computer I tested this on runs NT 4.0 with multiple NICs. Ideally, I would like to sniff on one NIC, and have all of my regular non-sniffing TCP/IP traffic go through as separate card. I tried to unbind TCP from the sniffing NIC, but then the WinPCap drivers would not allow me to select that card for sniffing. My interim solution was to assign a bogus IP address to the NIC. I am able to sniff fine with this setup, but I am still open to broadcast-based attacks, and my firewall thinks that someone is spoofing an IP address, since I used one out of our normal range. It generates multiple annoying log messages, so I do not leave this running very long. I used to hear about people making "mute" network cards/cables basically by clipping the broadcast lines. I don't know if this would help against DoS attacks, though. Here were some questions that came to mind. Is there a way to tighten security on TCP/IP to a point that the OS ignores it on one adapter? Is there a way to run without TCP/IP? Is there another [free/cheap] program which can sniff IP traffic without requiring IP binding to the adapter? Can I use some sort of dummy TCP/IP stack to satisfy WinPCap? Can raw sockets run without TCP/IP? Any solution I use must be capable of sniffing ICMP packets and IP packets. I don't care as much about the other types. Does anyone else have any ideas or experience in this area? Thanks in advance! - Will _______________________________________________ Ethereal-users mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-users
