how to view all the packets in LAN connected to switch

LinuxNewbie999 · 09-15-2007, 11:09 PM

How do I able to pickup all the packets in the LAN which is connected to a Switch? Is there any software that can sniff the packets from the LAN?

farkus888 · 09-15-2007, 11:50 PM

that would be very tricky. the problem is they way tcp/ip handles traffic you will only get traffic meant for your interface and broadcast traffic. the switch is the only device that would normally see all of that traffic. I personally am setting up something like this to monitor all the traffic that leaves my network. but with it being between a switch and my cable modem it will only be able to see traffic headed for the internet. traffic headed peer to peer on my network is going to be missed because they switch handles it and forwards it before it gets to the firewall. fine for my purpose of catch dubious traffic from malware and blocking traffic from dubious sites such as doubleclick from ever touching my network. I am using snort for scanning and pf for firewalling. more information about your exact goals might help us find a solution for you.

Micro420 · 09-16-2007, 12:09 AM

They do make some types of hardware switches with a "mirror" port. You could plug your network sniffing cable to see what is going on, but not all hardware switches have this. Other than that, I have no idea if you can sniff switches without this mirror port.

andrewdodsworth · 09-16-2007, 03:59 AM

What I have is a linux machine between the switch and my modem/router to the internet. It's a router/firewall as well as a few other internal server bits. I can then run wireshark or ntop or other monitoring software on it and see what's going on and indeed control it.

hottdogg · 09-18-2007, 09:57 PM

based on my limited knowledge,
There are 2 kind of n/w sniffing.
1)passive sniffing
2)active sniffing

What you want is fall to the 2nd category, because of the way switch /hub-switch work.
Somehow you have to redirect the traffic in your switched lan to your computer, this is known as Man In The Middle(MITM) attack. I think it's related to arp poisoning/spoofing.
And then Your computer must be capable to do ip forwarding and something like that.

I had tried passive sniffing successfully on simple LAN that using old-hub sometimes ago. Tried it with ettercap and wireshark.
But for active sniffing ,currently I don't have the strong drive to do it.Need More hard work...maybe sometime later

But there are some tools you can use to explore sniffing switch lan. It's not that cutting edge method.
This is not exhausted list.
For win:
cain & abel
For lin:
ettercap
dsniff
thc parasite
wireshark( maybe? )

Oh...and try it in your own n/w! Trying this kind of stuff in office or public LAN might be illegal.

Let us know your result

LinuxNewbie999 · 09-20-2007, 06:49 AM

Thanks. I'll try it on my LAN. Hopefully got good results.

LinuxNewbie999 · 09-20-2007, 07:40 AM

I try to install atk but got a configure error.

configure: error:
*** GLIB 2.0.0 or better is required. The latest version of
*** GLIB is always available from ftp://ftp.gtk.org/. If GLIB is installed
*** but not in the same location as pkg-config add the location of the file
*** glib-2.0.pc to the environment variable PKG_CONFIG_PATH.

i had GLIB-2.12 installed, maybe the location is not correct. How do i add the location of the file glib-2.0.pc to the environment variable PKG_CONFIG_PATH ?