Ethereal's not good to work with in a switched network because Ethereal won't work in switched network. All you'll see is arp requests and broadcasts as well as anything going between your machine and the remote host. If that's what you want than Ethereal is the tool for the job. I doubt that's what you want though.
The reason why Ethereal works well or better in a hubbed network is because the collision domain is so big you "see" every bit of network traffic that is going on between every node on that network. Like usernames/passwords, what websites someone is visiting...........yadayadayada. A switch is basically a hub except the collision domain is limited to every port on the switch. That's why you won't see every other nodes traffic.....because the switch knows where to send the data where as a hub doesn't know and doesn't care and pretty much broadcasts it to all hosts on the network until the meant destination says "hey! that's for me" Since you're on a switched network, I recommend using Ettercap (ettercap.sourceforge.net) as it does some "magic" with the arp cache by poisoning it and you become the "man in the middle". Meaning, everything going between the host you want to sniff and the destination you will see. Very similar to Ethereal except you can only do it to one host at a time (as far as I know). I hope this helps clear things up. -Matt On Friday 09 November 2001 15:32, Marc Mc Guinness wrote: > Hello! > > Am Donnerstag, 8. November 2001 23:24 schrieb Matt Hemingway: > > If it's a switched network, which the subject of this e-mail > > states, than Ethereal won't work. The best tool for a switched > > network is ettercap (ettercap.sourceforge.net). > > > > Personally I use Arpwatch (no url available) to find all hosts on > > the network and than use Ettercap to sniff the victim. > > > > If this is a hubbed network than Ethereal works like a charm. > > I don't understand that. Can anybody explain it to me? Why is > ethereal not good for a switched LAN, but for a hubbed one it is? > I'm starting to work with ethereal at the moment (in a switched > network). > > Best regards, > > Marc Mc Guinness
