Re: Sniffer Recommendation [7:72372]
I actually want to see broadcast traffic. - Original Message - From: "Charles D Hammonds" To: Sent: Tuesday, July 15, 2003 11:57 PM Subject: RE: Sniffer Recommendation [7:72372] > span port is not a sniffer requirement, but one of the switch. switches send > unicast/multicast traffic out only the ports that it is destined to. so, if > you want to see anything other than straight broadcast traffic, span is > required. > > charles > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Nathan > Sent: Tuesday, July 15, 2003 9:33 PM > To: [EMAIL PROTECTED] > Subject: Sniffer Recommendation [7:72372] > > > I need a sniffer that doesn't require spanning a port. Any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72407&t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffer Recommendation [7:72372]
Nate wrote: > I actually want to see broadcast traffic. In that case any analyzer will do. Just connect it to a port in the VLAN you want the broadcast traffic of. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72414&t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffer Recommendation [7:72372]
There are various tools to do this, as far as I know they all work based on the ability to spoof arp replies. Here are a few links: http://monkey.org/~dugsong/dsniff/ (a host of tools for sniffing through various spoofing attacks) http://www.phenoelit.de/fr/tools.html (specifically just for arp spoofing although they have some other interesting tools) Be aware that if you have a busy network, some of these tools could potentially be disruptive depending on how they are used. Be also aware that if you don't have authority to use these tools on the network in question, using them is probably a good reason for termination of employment. I don't recommend you use these tools unless you know what you are doing _and_ you have explicit authorization from the network owner to use them. It's far better to just span the port or use VACL's. In other words, use these tools at your own risk. HTH, Kent On Wed, 2003-07-16 at 00:32, Nathan wrote: > I need a sniffer that doesn't require spanning a port. Any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72398&t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Sniffer Recommendation [7:72372]
span port is not a sniffer requirement, but one of the switch. switches send unicast/multicast traffic out only the ports that it is destined to. so, if you want to see anything other than straight broadcast traffic, span is required. charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nathan Sent: Tuesday, July 15, 2003 9:33 PM To: [EMAIL PROTECTED] Subject: Sniffer Recommendation [7:72372] I need a sniffer that doesn't require spanning a port. Any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72374&t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Sniffer Recommendation [7:72372]
Then You need a network without switches. Without the span port, all unicast frames will only be forwarded to their correct destination ports. Your sniffer will not "see" the traffic. Using RMON/SNMP, its possible to poll some data directly from the switch, such as statistics, etc. I don't know a way to use snmp to tell the switch to "give me all frames for X flow". A way around this is to put a hub between the switch and the device being monitored (host, fw, router). Then plug your "sniffer" into that hub. The hub is a repeater and will get all frames to the sniffer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72373&t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]