Steve, if you change that to 'only reliably see traffic on your port'
then you would be correct. The problem is that switches leak traffic to
other ports (and in some cases vlans as well) for all sorts of reasons.
in some ways switches are the worst of both worlds.
if you want to sniff/analyse traffic you have to assume that you miss the
interesting traffic.
if you want to keep something secret you have to assume that at that
instant the switch will leak the traffic and the bad guy will see it.
switches are wonderful for speed and reliability compared to hubs, but
they are not 'the' answer in and of themselves
David Lang
On Fri, 15 Jun 2001, Steve Vinsik wrote:
> Date: Fri, 15 Jun 2001 14:53:42 -0400
> From: Steve Vinsik <[EMAIL PROTECTED]>
> To: 'Jason Brown' <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: RE: Network Sniffers
>
> If you are on a switched network, you will only see traffic on your vlan.
> Also, if the computer you are using as a sniffer is on a switch port, it
> will only see it's own traffic. Most switches will allow you to set them up
> to receive all traffic on a particular port. However, this could cause
> serious network congestion on that port, switch and/or vlan. Also, some
> products that operate in demo mode purposefully limit data collection to
> your own host.
>
> Steve
>
> -----Original Message-----
> From: Jason Brown [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 15, 2001 2:33 PM
> To: [EMAIL PROTECTED]
> Subject: Network Sniffers
>
>
>
> Hello All,
>
> I am trying to set up a sniffer so I can see what the users are doing on the
> Internet and see if they are abusing the service.
>
> To date I've install Ethereal and Ksnuffle but neither are working as they
> should.
>
> I can sniff traffic to and from the machine running the software, but the
> rest of the network traffic is not visible.
>
> According to all the documentation I found, the network cards are put into
> promiscuous mode automatically by the software. From what I can see, it's
> almost as if the cards are not.
>
> I've installed the software on RedHat 6.2 and 7.1 and used 2 different types
> of NICs on 2 different machines, and one is a 3Com 590. Anybody know why I
> can't see everything???
>
> What I want to do is generate a graph that will tell me how much NNTP
> traffic in being pulled down. I know they are pulling down VCD files and I
> am 99% sure this is causing the slow response, but I'd like to have proof
> before I point fingers. Ksnuffle looks like it will work, but if someone
> else has another solution, please let me know.
>
> Thanks,
>
> Jason
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
