RE: traffic analyzer [7:41267]
If all that's needed is general traffic trend patterns, things like how much traffic, what stations are talking to what other stations, protocols in use, etc, then you can do no better than NTOP: http://www.ntop.org It has a small footprint, fairly low overhead, gives you RMON type stats through a nice web gui and much more. Plus it's open source. The main disadvantage is a lack of comprehensive documentation, but there are mailing lists for help, plus you get the source code. I'm using it right now for network trending info and the amount of detail it provides is outstanding. It's much better than a sniffer for macro level network information. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sean Knox Sent: Friday, April 12, 2002 1:16 AM To: [EMAIL PROTECTED] Subject: RE: traffic analyzer [7:41267] Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've used hands down. Best of all, it's free. Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Ramsey Sent: Thursday, April 11, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: Re: traffic analyzer [7:41267] send a linux box configured with X/ethereal and vnc out there and remote control it from your end! -Patrick >>> supernet 04/12/02 12:42AM >>> Hi Dear Friends, I have 1 branch office connected to main office by frame relay. I noticed a lot of traffic across this link and would like to find out what they are. The problem is I don't have access to the branch office, therefore, everything has to be done in main office. I tried sniffer pro, etherpeek and anasil but they only allow me to specify a particular source IP, not the whole branch office subnet. Is there any other software I can use? Thanks. Yoshi >>>>>>>>>>>>> Confidentiality Disclaimer <<<<<<<<<<<<<<<< This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41375&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
Kevin Cullimore wrote: > > That works for networks divided on octet boundaries, but what > about when you want to capture a /22 or a /23? Good point. Had never thought of that. Most of our sites are either /16 or /24, however, we have alot of smaller branch sites that are /26. I guess in those cases tho, I would always setup the sniffer to sniff the traffic at the routers ethernet interface, in which was using a /24 mask didn't cause a problem because it captured all of the data from the /26 that I was interested in anyway =) Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41367&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
That works for networks divided on octet boundaries, but what about when you want to capture a /22 or a /23? I actually needed the practice with dec->hex conversions & offsets, so I always went straight for the data pattern tab and never tried the wildcard in the address tab. Thanks for the tip. - Original Message - From: "Michael Williams" To: Sent: Friday, April 12, 2002 2:23 PM Subject: RE: traffic analyzer [7:41267] > supernet wrote: > > > > but they only allow me to specify a particular > > source IP, not the whole branch office subnet. > > Why's that? Sniffer Pro will let you define entire ranges of > source/destination IPs in the filter. > > In Sniffer Pro, when you define the filter, simply put 192.168.1.* (where > 192.168.1.0 is the subnet and * is the wildcard). > > Works for me =) > > Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41356&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: traffic analyzer [7:41267]
supernet wrote: > > but they only allow me to specify a particular > source IP, not the whole branch office subnet. Why's that? Sniffer Pro will let you define entire ranges of source/destination IPs in the filter. In Sniffer Pro, when you define the filter, simply put 192.168.1.* (where 192.168.1.0 is the subnet and * is the wildcard). Works for me =) Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41331&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: traffic analyzer [7:41267]
Patrick have you tried setting a data pattern?? That's what I did and it works a treat for only monitoring a given subnet. Sam. -Original Message- From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] Sent: Friday, 12 April 2002 7:12 PM To: [EMAIL PROTECTED] Subject: Re: traffic analyzer [7:41267] yeah...It's not hard to let "expert" spoil you though! I've kinda grown accustom to letting sniffer pro do all the work for me... :) >>> "Sean Knox" 04/12/02 04:22 AM >>> Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've used hands down. Best of all, it's free. Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Ramsey Sent: Thursday, April 11, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: Re: traffic analyzer [7:41267] send a linux box configured with X/ethereal and vnc out there and remote control it from your end! -Patrick >>> supernet 04/12/02 12:42AM >>> Hi Dear Friends, I have 1 branch office connected to main office by frame relay. I noticed a lot of traffic across this link and would like to find out what they are. The problem is I don't have access to the branch office, therefore, everything has to be done in main office. I tried sniffer pro, etherpeek and anasil but they only allow me to specify a particular source IP, not the whole branch office subnet. Is there any other software I can use? Thanks. Yoshi >>>>>>>>>>>>> Confidentiality Disclaimer >>>>>>>>>>>> Confidentiality Disclaimer <<<<<<<<<<<<<<<< This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. [GroupStudy.com removed an attachment of type text/x-vcard which had a name of Sam Deckert.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41292&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
now wait if all he wants to do is sniff certain source and destination addresses, this can be done using a filter... I prefer display filters just in case you want to go back and change what you see rather than a capture filter. Am I missing something? >>> "Kevin Cullimore" 04/12/02 03:32 AM >>> In sniffer pro, I've had success by specifying two conditions joined by an OR statement for the filter. Each condition is specified by selecting the Data Pattern tab of the Define Filter dialog box and specifying appropriate offsets and data patterns. For the case where you need to specify the source ip address, I'd use an offset of 1A and fill in as many hex digits as it takes to uniquely define the subnet. For the case where you need to specify the destination ip address, I'd use an offset of 1E and fill in as many hex digits as it takes to uniquely define the subnet. Note: if you're looking at an existing capture featuring traffic to or from a specific host on the target subnet, you can use the data window in the same tab to speed things up slightly by selecting the line of the decode containing the address, clicking the set data button, and deleting the characters in the pattern window which distinguish the host from the subnet (generally, staring from the right: in the case of /24 masks, you'd eliminate the value in column 3, corresponding to the last octet/2 Hex digits). I don't remember the vendor-specific info for etherpeek, but the fundamentals are the same. HTH - Original Message - From: "supernet" To: Sent: Friday, April 12, 2002 12:42 AM Subject: traffic analyzer [7:41267] > Hi Dear Friends, > > I have 1 branch office connected to main office by frame relay. I noticed a lot of traffic across this link and would like to find out > what they are. The problem is I don't have access to the branch office, > therefore, everything has to be done in main office. I tried sniffer > pro, etherpeek and anasil but they only allow me to specify a particular > source IP, not the whole branch office subnet. Is there any other > software I can use? > > Thanks. > Yoshi > Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41281&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: traffic analyzer [7:41267]
yeah...It's not hard to let "expert" spoil you though! I've kinda grown accustom to letting sniffer pro do all the work for me... :) >>> "Sean Knox" 04/12/02 04:22 AM >>> Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've used hands down. Best of all, it's free. Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Ramsey Sent: Thursday, April 11, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: Re: traffic analyzer [7:41267] send a linux box configured with X/ethereal and vnc out there and remote control it from your end! -Patrick >>> supernet 04/12/02 12:42AM >>> Hi Dear Friends, I have 1 branch office connected to main office by frame relay. I noticed a lot of traffic across this link and would like to find out what they are. The problem is I don't have access to the branch office, therefore, everything has to be done in main office. I tried sniffer pro, etherpeek and anasil but they only allow me to specify a particular source IP, not the whole branch office subnet. Is there any other software I can use? Thanks. Yoshi >>>>>>>>>>>>> Confidentiality Disclaimer >>>>>>>>>>>> Confidentiality Disclaimer <<<<<<<<<<<<<<<< This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41280&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: traffic analyzer [7:41267]
Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've used hands down. Best of all, it's free. Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Ramsey Sent: Thursday, April 11, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: Re: traffic analyzer [7:41267] send a linux box configured with X/ethereal and vnc out there and remote control it from your end! -Patrick >>> supernet 04/12/02 12:42AM >>> Hi Dear Friends, I have 1 branch office connected to main office by frame relay. I noticed a lot of traffic across this link and would like to find out what they are. The problem is I don't have access to the branch office, therefore, everything has to be done in main office. I tried sniffer pro, etherpeek and anasil but they only allow me to specify a particular source IP, not the whole branch office subnet. Is there any other software I can use? Thanks. Yoshi >>>>>>>>>>>>> Confidentiality Disclaimer <<<<<<<<<<<<<<<< This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41279&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
In sniffer pro, I've had success by specifying two conditions joined by an OR statement for the filter. Each condition is specified by selecting the Data Pattern tab of the Define Filter dialog box and specifying appropriate offsets and data patterns. For the case where you need to specify the source ip address, I'd use an offset of 1A and fill in as many hex digits as it takes to uniquely define the subnet. For the case where you need to specify the destination ip address, I'd use an offset of 1E and fill in as many hex digits as it takes to uniquely define the subnet. Note: if you're looking at an existing capture featuring traffic to or from a specific host on the target subnet, you can use the data window in the same tab to speed things up slightly by selecting the line of the decode containing the address, clicking the set data button, and deleting the characters in the pattern window which distinguish the host from the subnet (generally, staring from the right: in the case of /24 masks, you'd eliminate the value in column 3, corresponding to the last octet/2 Hex digits). I don't remember the vendor-specific info for etherpeek, but the fundamentals are the same. HTH - Original Message - From: "supernet" To: Sent: Friday, April 12, 2002 12:42 AM Subject: traffic analyzer [7:41267] > Hi Dear Friends, > > I have 1 branch office connected to main office by frame relay. I > noticed a lot of traffic across this link and would like to find out > what they are. The problem is I don't have access to the branch office, > therefore, everything has to be done in main office. I tried sniffer > pro, etherpeek and anasil but they only allow me to specify a particular > source IP, not the whole branch office subnet. Is there any other > software I can use? > > Thanks. > Yoshi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41275&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
send a linux box configured with X/ethereal and vnc out there and remote control it from your end! -Patrick >>> supernet 04/12/02 12:42AM >>> Hi Dear Friends, I have 1 branch office connected to main office by frame relay. I noticed a lot of traffic across this link and would like to find out what they are. The problem is I don't have access to the branch office, therefore, everything has to be done in main office. I tried sniffer pro, etherpeek and anasil but they only allow me to specify a particular source IP, not the whole branch office subnet. Is there any other software I can use? Thanks. Yoshi > Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41274&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]