If we're speaking of a hub rather than a switch, you can plug in to any port and sniff the traffic. A hub runs at the physical layer, while a switch operates more at the MAC portion of the Data Link of the good old OSI stack.
A switch is designed to deliver only traffic destined for a specific port - not to flood all traffic to each port, and let the end devices (your computer) figure out what is for it and not. As to what port to mirror - depends on who the source or destination is. Suppose you could mirror all of them, but that Sometimes can be done, other times not. But, what Roger is saying is to capture the traffic BEFORE it gets to the switches. All of your traffic is going to have to go through some Layer 3 device. Once it gets to the switches, your opportunity to capture it has just diminished to pure chance. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Sunday, December 26, 2004 12:07 AM To: [email protected] Subject: Re: [ActiveDir] worm (very very OT) do I need to mirror a specific port? Which one? Why can't I connect to any availble port on that switch and sniff the network? thanks rubix On Thu, 23 Dec 2004 14:01:51 -0500, Candee Vaglica <[EMAIL PROTECTED]> wrote: > That's what I meant. > ;) > Thanks, Roger. > > On Thu, 23 Dec 2004 10:59:56 -0800, Roger Seielstad > <[EMAIL PROTECTED]> wrote: > > The way to track this down it so network scan on your egress > > router's interface. It should be relatively trivial to filter for > > the traffic based on destination port, and that will give you the > > MAC address of the sender (that is VERY much harder to spoof - not > > impossible, but a heck of a lot harder). > > > > >From that, you can look at the ARP table of the router and the MAC > > >address > > will be there from the *valid* traffic the machine is doing. You can > > guarantee that by ping sweeping the LAN, just in case. Then you're > > just matching MAC to MAC and you get the right IP address. > > > > Heck, I think there's perl code that will do most of that for you - > > I know we've got a MAC hunter app at work that does something > > similar to this to find the name of machines when all we have is a MAC address. > > > > -------- > > Roger Seielstad > > E-mail Geek & MS-MVP > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > > > Sent: Thursday, December 23, 2004 8:30 AM > > > To: [email protected] > > > Subject: RE: [ActiveDir] worm (very very OT) > > > > > > we're a switched network. i'd have to go to every pc(500) and run > > > it. i'm trying to avoid that. might as well run netstat -an on all > > > pc's. > > > > > > ethereal won't tell me the real address. > > > > > > thanks > > > > > > -----Original Message----- > > > From: Candee Vaglica [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, December 23, 2004 11:16 AM > > > To: [email protected] > > > Subject: Re: [ActiveDir] worm (very very OT) > > > > > > > > > Use a network scanner, like Ethereal to monitor the traffic. > > > > > > > > > On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom <[EMAIL PROTECTED]> > > > wrote: > > > > this is way off and i apologize but you guys are really > > > knowledgable and such a great help, i thought i'd try here. > > > > > > > > i have a number of pc's infected with some wom that goes > > > out on port 10000 tcp and tries to attemp a DOS attack. > > > > > > > > I don't know the worm and a google searched didn't really > > > turn anything up. > > > > > > > > here's the thing. the worm uses a spoofed source address. > > > my question is, is there anyway to track down a spoofed address > > > internally to the real address? > > > > > > > > I don't know how to find the infected pc's. > > > > > > > > thanks > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
