LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-20-2003, 03:59 PM   #1
chr15t0
Member
 
Registered: Jun 2002
Location: London
Distribution: Slackware
Posts: 201

Rep: Reputation: 30
Ethereal - sniff ALL traffic


Hey all,

I have been playing with Ethereal on our company network, (it's what sysadmin does when b0red), but I can't get it to monitor all traffic - it only seems to pick up frames sent from, or directly TO the LOCAL network interface (ethX). I was of the impression that with CSMA, (ie ethernet-ness), all packets and frames on the network bus could be sniffed.

Perhaps it's just an options with Ethereal that has to be set.. of if anyone knows how to do it using tcpdump, I could probably work it out from there. It would be extremely useful for us to be able to monitor all traffic on some of our more secure areas.

thanks
christo
 
Old 01-20-2003, 11:22 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Just a technical question beforehand :)

Have you got switches on your network? :)
If so there's your "problem" - or rather, the only
way to make ethernet bearable ;)

Cheers,
Tink
 
Old 01-21-2003, 03:21 AM   #3
chr15t0
Member
 
Registered: Jun 2002
Location: London
Distribution: Slackware
Posts: 201

Original Poster
Rep: Reputation: 30
yes - in fact all our networks are switched. Is that going to change things?

thanks

christo
 
Old 01-21-2003, 04:54 PM   #4
ubien
Member
 
Registered: Oct 2002
Distribution: RH 8.0 and fluxbox
Posts: 122

Rep: Reputation: 15
switch = packets only get sent to the IP they are destined for. Hub = packets get broadcast accross the network.
 
Old 01-21-2003, 05:40 PM   #5
chr15t0
Member
 
Registered: Jun 2002
Location: London
Distribution: Slackware
Posts: 201

Original Poster
Rep: Reputation: 30
of course - I should have realised that the switch keep an arp cache mapping all the MAC addresses and socket numbers, so packets are sent on straight to destination machines... which means that the only way to sniff a switched network would invoice arp cache poisoning, or even better mac duplication - /me dives into the ifconfig docs..

christo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I monitor all AIM traffic with ethereal/tethereal? abefroman Linux - Security 6 05-17-2005 07:54 PM
Can't sniff packets using libpcap masterm Linux - Networking 0 05-17-2005 06:58 PM
output of dsniff \ *sniff Wetfeet2000 Linux - Software 0 01-14-2004 08:31 PM
aim sniff WallMart4Life Linux - Networking 2 08-11-2003 01:42 PM
How to sniff port redirection shawnzhou888 Linux - Networking 0 07-18-2003 03:31 PM


All times are GMT -5. The time now is 11:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration