Bob,
I've see seen a couple of packages that do what you describe. Some are white
hat, most are not. I've only looked a one of the whitehat solutions and I am not sure
how that software worked. I do known that it generated a LOT of traffic so it won't
work for what I wanted at the time.
The other packages work mainly on older switches by filling up the MAC table
on the switch with junk MAC addresses. Once this table is full the switch basically
gives up and stops being a switch and turns into a VERY expensive hub. The depth of
the MAC table varies from switch to switch. Most of the older ones I have looked at
have a table that is around 20000 entries deep. Some of the newer switches have deeper
(larger?) tables and have software in place to prevent "Switch Jamming" or "MAC
flooding" (not sure how this works, but I do know that it is next to near impossible
to flood our Cisco and HP Procurve switches).
As for you idea of sticking a hub between the switch and the gateway all I can
say is DOH. That would have been a much easier method. Especially considering it could
be done with any cheap 10 Mb hub.
Garl
-----Original Message-----
From: Bob Miller [mailto:[EMAIL PROTECTED]
Sent: Monday, March 03, 2003 11:52 PM
To: [EMAIL PROTECTED]
Subject: Re: [Eug-lug]network monitoring?
Timothy Bolz wrote:
> I am directly connected to a switch which and all the homepna switches are
> connected to the same switch . I have one of the fastest connections. So it
> sounds like I can use Ethereal and possibly ntop. Ntop looks like it would
> work nice. Ethereal looks more invasive than I'd like to get. Ntop also
> looks like it has a nice web interface and I like the fact it shows the time
> the most traffic is. So it looks like anyone on a network can run ntop?
Garl described what you can do with a managed switch. Here's what
you can do if you don't have a managed switch or you don't have
permission to manage it. (But you do have access to the physical
wiring.)
Assuming that you have something like this.
+------|--- room
Internet --- dsl modem --- trinicor gateway --------- |switch|--- room
+------|--- room
You can insert your own hub and monitoring PC like this.
yourPC
| +------|--- room
Internet --- dsl modem --- trinicor gateway -- | -- |switch|--- room
| | | +------|--- room
-----
hub
All the traffic passes through the wire between the gateway and the
switch, and it is not NATted -- everybody still has his own IP
address. So if you can tap in there, you can sniff all traffic.
If you tap in to the left of the gateway, you'll only see a single IP
address and it will be hard to distinguish rooms. If you tap in to
the right of the switch, you'll only see traffic destined to a single
room.
Does that make sense?
I have seen a program (in the openbsd ports collection, I think) that
would fool an unmanaged switch into sending all traffic to it. I
think it watched the source MAC address of broadcast packets (e.g.,
ARP), then sent out more packets with the same source MAC address.
But I can't find that program now. Sorry.
--
Bob Miller K<bob>
kbobsoft software consulting
http://kbobsoft.com [EMAIL PROTECTED]
_______________________________________________
Eug-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
_______________________________________________
Eug-LUG mailing list
[EMAIL PROTECTED]
http://mailman.efn.org/cgi-bin/listinfo/eug-lug
