RE: traffic analyzer [7:41267]
If all that's needed is general traffic trend patterns, things like how much
traffic, what stations are talking to what other stations, protocols in use,
etc, then you can do no better than NTOP: http://www.ntop.org
It has a small footprint, fairly low overhead, gives you RMON type stats
through a nice web gui and much more. Plus it's open source. The main
disadvantage is a lack of comprehensive documentation, but there are mailing
lists for help, plus you get the source code. I'm using it right now for
network trending info and the amount of detail it provides is outstanding.
It's much better than a sniffer for macro level network information.
HTH,
Kent
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Sean Knox
Sent: Friday, April 12, 2002 1:16 AM
To: [EMAIL PROTECTED]
Subject: RE: traffic analyzer [7:41267]
Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've
used hands down. Best of all, it's free.
Sean
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Ramsey
Sent: Thursday, April 11, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: Re: traffic analyzer [7:41267]
send a linux box configured with X/ethereal and vnc out there and remote
control it from your end!
-Patrick
>>> supernet 04/12/02 12:42AM >>>
Hi Dear Friends,
I have 1 branch office connected to main office by frame relay. I
noticed a lot of traffic across this link and would like to find out
what they are. The problem is I don't have access to the branch office,
therefore, everything has to be done in main office. I tried sniffer
pro, etherpeek and anasil but they only allow me to specify a particular
source IP, not the whole branch office subnet. Is there any other
software I can use?
Thanks.
Yoshi
>>>>>>>>>>>>> Confidentiality Disclaimer <<<<<<<<<<<<<<<<
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41375&t=41267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
Kevin Cullimore wrote: > > That works for networks divided on octet boundaries, but what > about when you want to capture a /22 or a /23? Good point. Had never thought of that. Most of our sites are either /16 or /24, however, we have alot of smaller branch sites that are /26. I guess in those cases tho, I would always setup the sniffer to sniff the traffic at the routers ethernet interface, in which was using a /24 mask didn't cause a problem because it captured all of the data from the /26 that I was interested in anyway =) Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41367&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
That works for networks divided on octet boundaries, but what about when you want to capture a /22 or a /23? I actually needed the practice with dec->hex conversions & offsets, so I always went straight for the data pattern tab and never tried the wildcard in the address tab. Thanks for the tip. - Original Message - From: "Michael Williams" To: Sent: Friday, April 12, 2002 2:23 PM Subject: RE: traffic analyzer [7:41267] > supernet wrote: > > > > but they only allow me to specify a particular > > source IP, not the whole branch office subnet. > > Why's that? Sniffer Pro will let you define entire ranges of > source/destination IPs in the filter. > > In Sniffer Pro, when you define the filter, simply put 192.168.1.* (where > 192.168.1.0 is the subnet and * is the wildcard). > > Works for me =) > > Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41356&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: traffic analyzer [7:41267]
supernet wrote: > > but they only allow me to specify a particular > source IP, not the whole branch office subnet. Why's that? Sniffer Pro will let you define entire ranges of source/destination IPs in the filter. In Sniffer Pro, when you define the filter, simply put 192.168.1.* (where 192.168.1.0 is the subnet and * is the wildcard). Works for me =) Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41331&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: traffic analyzer [7:41267]
Patrick have you tried setting a data pattern??
That's what I did and it works a treat for only monitoring a given subnet.
Sam.
-Original Message-
From: Patrick Ramsey [mailto:[EMAIL PROTECTED]]
Sent: Friday, 12 April 2002 7:12 PM
To: [EMAIL PROTECTED]
Subject: Re: traffic analyzer [7:41267]
yeah...It's not hard to let "expert" spoil you though!
I've kinda grown accustom to letting sniffer pro do all the work for me... :)
>>> "Sean Knox" 04/12/02 04:22 AM >>>
Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've used
hands down. Best of all, it's free.
Sean
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick
Ramsey
Sent: Thursday, April 11, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: Re: traffic analyzer [7:41267]
send a linux box configured with X/ethereal and vnc out there and remote
control it from your end!
-Patrick
>>> supernet 04/12/02 12:42AM >>>
Hi Dear Friends,
I have 1 branch office connected to main office by frame relay. I noticed a
lot of traffic across this link and would like to find out what they are. The
problem is I don't have access to the branch office, therefore, everything
has
to be done in main office. I tried sniffer pro, etherpeek and anasil but they
only allow me to specify a particular source IP, not the whole branch office
subnet. Is there any other software I can use?
Thanks.
Yoshi
>>>>>>>>>>>>> Confidentiality Disclaimer >>>>>>>>>>>> Confidentiality
Disclaimer <<<<<<<<<<<<<<<<
This email and any files transmitted with it may contain confidential and /or
proprietary information in the possession of WellStar Health System, Inc.
("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be privileged,
confidential and exempt from disclosure under applicable law. If the reader
of
this message is not the intended recipient, you are hereby notified that any
unauthorized access, dissemination, distribution or copying of any
information
from this email is strictly prohibited, and may subject you to criminal
and/or
civil liability. If you have received this email in error, please notify the
sender by reply email and then delete this email and its attachments from
your
computer. Thank you.
[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of Sam Deckert.vcf]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41292&t=41267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
now wait
if all he wants to do is sniff certain source and destination addresses,
this can be done using a filter... I prefer display filters just in case you
want to go back and change what you see rather than a capture filter.
Am I missing something?
>>> "Kevin Cullimore" 04/12/02 03:32 AM >>>
In sniffer pro, I've had success by specifying two conditions joined by an
OR statement for the filter.
Each condition is specified by selecting the Data Pattern tab of the Define
Filter dialog box and specifying appropriate offsets and data patterns.
For the case where you need to specify the source ip address, I'd use an
offset of 1A and fill in as many hex digits as it takes to uniquely define
the subnet.
For the case where you need to specify the destination ip address, I'd use
an offset of 1E and fill in as many hex digits as it takes to uniquely
define the subnet.
Note: if you're looking at an existing capture featuring traffic to or from
a specific host on the target subnet, you can use the data window in the
same tab to speed things up slightly by selecting the line of the decode
containing the address, clicking the set data button, and deleting the
characters in the pattern window which distinguish the host from the subnet
(generally, staring from the right: in the case of /24 masks, you'd
eliminate the value in column 3, corresponding to the last octet/2 Hex
digits).
I don't remember the vendor-specific info for etherpeek, but the
fundamentals are the same.
HTH
- Original Message -
From: "supernet"
To:
Sent: Friday, April 12, 2002 12:42 AM
Subject: traffic analyzer [7:41267]
> Hi Dear Friends,
>
> I have 1 branch office connected to main office by frame relay. I
noticed a lot of traffic across this link and would like to find out
> what they are. The problem is I don't have access to the branch office,
> therefore, everything has to be done in main office. I tried sniffer
> pro, etherpeek and anasil but they only allow me to specify a particular
> source IP, not the whole branch office subnet. Is there any other
> software I can use?
>
> Thanks.
> Yoshi
> Confidentiality Disclaimer
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41281&t=41267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: traffic analyzer [7:41267]
yeah...It's not hard to let "expert" spoil you though!
I've kinda grown accustom to letting sniffer pro do all the work for me... :)
>>> "Sean Knox" 04/12/02 04:22 AM >>>
Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've
used hands down. Best of all, it's free.
Sean
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Ramsey
Sent: Thursday, April 11, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: Re: traffic analyzer [7:41267]
send a linux box configured with X/ethereal and vnc out there and remote
control it from your end!
-Patrick
>>> supernet 04/12/02 12:42AM >>>
Hi Dear Friends,
I have 1 branch office connected to main office by frame relay. I
noticed a lot of traffic across this link and would like to find out
what they are. The problem is I don't have access to the branch office,
therefore, everything has to be done in main office. I tried sniffer
pro, etherpeek and anasil but they only allow me to specify a particular
source IP, not the whole branch office subnet. Is there any other
software I can use?
Thanks.
Yoshi
>>>>>>>>>>>>> Confidentiality Disclaimer >>>>>>>>>>>> Confidentiality
Disclaimer <<<<<<<<<<<<<<<<
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41280&t=41267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: traffic analyzer [7:41267]
Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've
used hands down. Best of all, it's free.
Sean
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Ramsey
Sent: Thursday, April 11, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: Re: traffic analyzer [7:41267]
send a linux box configured with X/ethereal and vnc out there and remote
control it from your end!
-Patrick
>>> supernet 04/12/02 12:42AM >>>
Hi Dear Friends,
I have 1 branch office connected to main office by frame relay. I
noticed a lot of traffic across this link and would like to find out
what they are. The problem is I don't have access to the branch office,
therefore, everything has to be done in main office. I tried sniffer
pro, etherpeek and anasil but they only allow me to specify a particular
source IP, not the whole branch office subnet. Is there any other
software I can use?
Thanks.
Yoshi
>>>>>>>>>>>>> Confidentiality Disclaimer <<<<<<<<<<<<<<<<
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41279&t=41267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
In sniffer pro, I've had success by specifying two conditions joined by an OR statement for the filter. Each condition is specified by selecting the Data Pattern tab of the Define Filter dialog box and specifying appropriate offsets and data patterns. For the case where you need to specify the source ip address, I'd use an offset of 1A and fill in as many hex digits as it takes to uniquely define the subnet. For the case where you need to specify the destination ip address, I'd use an offset of 1E and fill in as many hex digits as it takes to uniquely define the subnet. Note: if you're looking at an existing capture featuring traffic to or from a specific host on the target subnet, you can use the data window in the same tab to speed things up slightly by selecting the line of the decode containing the address, clicking the set data button, and deleting the characters in the pattern window which distinguish the host from the subnet (generally, staring from the right: in the case of /24 masks, you'd eliminate the value in column 3, corresponding to the last octet/2 Hex digits). I don't remember the vendor-specific info for etherpeek, but the fundamentals are the same. HTH - Original Message - From: "supernet" To: Sent: Friday, April 12, 2002 12:42 AM Subject: traffic analyzer [7:41267] > Hi Dear Friends, > > I have 1 branch office connected to main office by frame relay. I > noticed a lot of traffic across this link and would like to find out > what they are. The problem is I don't have access to the branch office, > therefore, everything has to be done in main office. I tried sniffer > pro, etherpeek and anasil but they only allow me to specify a particular > source IP, not the whole branch office subnet. Is there any other > software I can use? > > Thanks. > Yoshi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41275&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic analyzer [7:41267]
send a linux box configured with X/ethereal and vnc out there and remote
control it from your end!
-Patrick
>>> supernet 04/12/02 12:42AM >>>
Hi Dear Friends,
I have 1 branch office connected to main office by frame relay. I
noticed a lot of traffic across this link and would like to find out
what they are. The problem is I don't have access to the branch office,
therefore, everything has to be done in main office. I tried sniffer
pro, etherpeek and anasil but they only allow me to specify a particular
source IP, not the whole branch office subnet. Is there any other
software I can use?
Thanks.
Yoshi
> Confidentiality Disclaimer
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41274&t=41267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
