Re: Smart Hubs
Andrea Campi [EMAIL PROTECTED] writes: Linksys is sort of well known for playing this trick: they call entry level switches hub and reserve switch for higher-level equipment. Which is fine for people who just have to check email and play Quake, but screws you to no end when you actually need a hub :-/ Just flood the switch's MAC table (by sending packets with fake destination ethernet addresses) to force it into learning mode. DES -- Dag-Erling Smørgrav - [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Smart Hubs
On Friday, September 09, 2005 3:40 PM, Ryan P. Sommers unleashed the infinite monkeys and produced: PS If anyone knows of a hub that's easy to find and still is an actuall good 'ol hub, let me know. Not a hub, but a different solution - a network tap. They're designed to do exactly what you're looking for - allow sniffing of traffic from a link. Most taps require you to sniff the traffic on 2 ports, one for each direction. However NetOptics (and probably others) do a range of taps that aggregate the traffic onto a single cable. -- Rob | Oh my God! They killed init! You bastards! ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Smart Hubs
I'm attempting to setup a few systems such that I can sniff traffic to and from one computer. One requirment is this has to be as portable as possible. I obtained a hub and setup the target and the sniffing system. However, the sniffing system was not able to see all traffic to/from the target. The lights on the hub blinked over the uplink (internet) and the target, but not the sniffer. Next I tried my laptop as the sniffer (7-CURRENT, had tried both a Windows laptop and a laptop booted off a Linux live-filesystem). I was able to spoof the MAC address and IP on the sniffer (freebsd) and set monitor mode for the interface. However, I still was not able to see traffic to/from the target. The whole time though I have been able to, of course, see broadcast traffic. With the spoofed ip/mac though if I unplug the hub and then plug it back in, or periodically when leaving it plugged in, the sniffer will get a brief glimpse at a packet or two that was sent to the target system. This suggests to me the hub is learning, somehow. My question though is how? I took the sniffer out of monitor mode and generated a few ARP packets by pinging unused IPs. I also ran ethereal on the target. The target saw the ARPs generated by the sniffer system and the source address was correct, it was the mac address both systems were using. How is the hub able to tell these systems apart? Hub in question is a linksys NH1005 v2. All this was done at 100mbit full-duplex. Freebsd laptop nic won't drop to half and I'm not sure how to force linux (target's os) to use anything other than it's auto-config. PS If anyone knows of a hub that's easy to find and still is an actuall good 'ol hub, let me know. -- Ryan Sommers ryans a_t rpsommers.com (obsolete: [EMAIL PROTECTED]) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Smart Hubs
On Fri, Sep 09, 2005 at 08:39:30AM -0600, Ryan P. Sommers wrote: Hub in question is a linksys NH1005 v2. PS If anyone knows of a hub that's easy to find and still is an actuall good 'ol hub, let me know. Linksys is sort of well known for playing this trick: they call entry level switches hub and reserve switch for higher-level equipment. Which is fine for people who just have to check email and play Quake, but screws you to no end when you actually need a hub :-/ Google will tell you more about this, as well as suggesting real hubs. I'd recommend to go with Netgear. Bye, Andrea -- Press every key to continue. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Smart Hubs
On Fri, Sep 09, 2005 at 04:48:41PM +0200, Andrea Campi wrote: On Fri, Sep 09, 2005 at 08:39:30AM -0600, Ryan P. Sommers wrote: Hub in question is a linksys NH1005 v2. PS If anyone knows of a hub that's easy to find and still is an actuall good 'ol hub, let me know. Linksys is sort of well known for playing this trick: they call entry level switches hub and reserve switch for higher-level equipment. Which is fine for people who just have to check email and play Quake, but screws you to no end when you actually need a hub :-/ Google will tell you more about this, as well as suggesting real hubs. I'd recommend to go with Netgear. Alternativly, if you can get your hands on a second ethernet port for your sniffer box, make a passive tap: http://www.snort.org/docs/tap/ -- Brooks -- Any statement of the form X is the one, true Y is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 pgp6iMw65AWJ3.pgp Description: PGP signature
Re: Smart Hubs
On Fri, 9 Sep 2005, Brooks Davis wrote: On Fri, Sep 09, 2005 at 04:48:41PM +0200, Andrea Campi wrote: On Fri, Sep 09, 2005 at 08:39:30AM -0600, Ryan P. Sommers wrote: Hub in question is a linksys NH1005 v2. PS If anyone knows of a hub that's easy to find and still is an actuall good 'ol hub, let me know. Linksys is sort of well known for playing this trick: they call entry level switches hub and reserve switch for higher-level equipment. Which is fine for people who just have to check email and play Quake, but screws you to no end when you actually need a hub :-/ Google will tell you more about this, as well as suggesting real hubs. I'd recommend to go with Netgear. Alternativly, if you can get your hands on a second ethernet port for your sniffer box, make a passive tap: I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. -- DE ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Smart Hubs
I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. Or if you have 3 nics, use if_bridge. Or buy a really expensive managed switch, which allows you to mirror ports, vlans etc. Arne ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 'Smart' Hubs
On Fri, 9 Sep 2005, Brooks Davis wrote: On Fri, Sep 09, 2005 at 04:48:41PM +0200, Andrea Campi wrote: On Fri, Sep 09, 2005 at 08:39:30AM -0600, Ryan P. Sommers wrote: Google will tell you more about this, as well as suggesting real hubs. I'd recommend to go with Netgear. Ya, this was something of a last minute job we needed to do. We tried googling around, this hub was mentioned to work on the Ethereal wiki. Must have been misreported. Alternativly, if you can get your hands on a second ethernet port for your sniffer box, make a passive tap: This looks intrieging. Trouble is the 2nd port; as I mentioned we want this to be as portable as possible so we could deploy it in the field with minimal equiptment outside what we normally carry on jobs. I'd like it to work with a laptop, if possible. A USB 10/100 jobby might do the trick. I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. This is something I'm going to look into. I just didn't know off-hand what switches offered a monitor port, or what I'd be needing to spend. What I'm actually thinking of doing is getting a Soekris net4801 (3 Ethernet ports). I could set it up with FreeBSD or miniBSD and set it to do a layer-2 bridge between two of the ports. I'm not sure if the bridge device allows it, but I could set all three up for bridging and then let one port be the sniffer. Or, I thought it would be nice to just set it up with 2 ports bridged and then use the 3rd port as the managment port. I might be able to run a firewire card off the net4801 provided there is enough power and then attach an IDE-Firewire for a storage drive. Then just run tcpdump on the net4801 on the bridge device and store it to the storage drive. Or set it up with something like SMB, NFS or FTP to pull capture files down over the management nic port. Either way, this is a small piece of equiptment that could be portable and could allow us to use laptops for analyzing the traffic dumps. I've been looking for an excuse to get a net4801 to play with. :) Thanks for the replies by the way. -- Ryan Sommers ryans a_t rpsommers.com (obsolete: [EMAIL PROTECTED]) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Smart Hubs
On Fri, 9 Sep 2005, Arne Schwabe wrote: I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. Or if you have 3 nics, use if_bridge. Or buy a really expensive managed switch, which allows you to mirror ports, vlans etc. Well, is $175.00 US expensive? The Netgear FS726T can be had for about that price, and according to Netgear's web site, will support port monitoring. A 24-port switch may not be small enough for you, but if you look around enough, you might find something that is. -- DE ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Smart Hubs
On Sep 09, Daniel Eischen wrote: On Fri, 9 Sep 2005, Arne Schwabe wrote: I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. Or if you have 3 nics, use if_bridge. Or buy a really expensive managed switch, which allows you to mirror ports, vlans etc. Well, is $175.00 US expensive? The Netgear FS726T can be had for about that price, and according to Netgear's web site, will support port monitoring. A 24-port switch may not be small enough for you, but if you look around enough, you might find something that is. I think it violates specifications, but how about a physical copper tap, like a two-headed cable? Has anybody ever tried something like this? Ethernet was designed in the days of shared media Mike ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Smart Hubs
On Fri, Sep 09, 2005 at 01:28:49PM -0700, Mike Hunter wrote: On Sep 09, Daniel Eischen wrote: On Fri, 9 Sep 2005, Arne Schwabe wrote: I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. Or if you have 3 nics, use if_bridge. Or buy a really expensive managed switch, which allows you to mirror ports, vlans etc. Well, is $175.00 US expensive? The Netgear FS726T can be had for about that price, and according to Netgear's web site, will support port monitoring. A 24-port switch may not be small enough for you, but if you look around enough, you might find something that is. I think it violates specifications, but how about a physical copper tap, like a two-headed cable? Has anybody ever tried something like this? Ethernet was designed in the days of shared media That would be what the link I posted earlier does. With full-duplex connections, you need two recieve lines to get traffic in both directions, but it does in fact work. -- Brooks -- Any statement of the form X is the one, true Y is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 pgpxTz4CwrYha.pgp Description: PGP signature
Re: Smart Hubs
On Fri, Sep 09, 2005 at 02:44:56PM -0400, Daniel Eischen wrote: On Fri, 9 Sep 2005, Brooks Davis wrote: On Fri, Sep 09, 2005 at 08:39:30AM -0600, Ryan P. Sommers wrote: Hub in question is a linksys NH1005 v2. PS If anyone knows of a hub that's easy to find and still is an actuall good 'ol hub, let me know. ... Alternativly, if you can get your hands on a second ethernet port for your sniffer box, make a passive tap: I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. I think most managed switches let you do this. The keyword being managed and a managed switch is always going to be far more expensive than a hub. This is mostly useful if you already have the infrastructure in place and just want to look at one of the systems attached to the switch. Note that both hubs and port cloning imply bandwidth limitations: All the traffic to and from the target system has to be transmited to your sniffer on a single link. This limits you to half-duplex speed. Depending on your requirements, this may or may not be a problem. If it is, you are going to be very careful about specifying and configuring your sniffer box to make sure it can actually handle the traffic load. Overall, I also recommend using dual NICs to create a passive tap. -- Peter Jeremy ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Smart Hubs
On Sat, 10 Sep 2005, Peter Jeremy wrote: On Fri, Sep 09, 2005 at 02:44:56PM -0400, Daniel Eischen wrote: On Fri, 9 Sep 2005, Brooks Davis wrote: On Fri, Sep 09, 2005 at 08:39:30AM -0600, Ryan P. Sommers wrote: Hub in question is a linksys NH1005 v2. PS If anyone knows of a hub that's easy to find and still is an actuall good 'ol hub, let me know. ... Alternativly, if you can get your hands on a second ethernet port for your sniffer box, make a passive tap: I came in kinda late to this thread, but if you're trying to find a hub/switch in order to sniff network traffic, then you can always go for a switch that let's you monitor traffic on other ports. I know the Cisco's will let you do this, but I'd be suprised if you couldn't find it on some other cheaper switches. I think most managed switches let you do this. The keyword being managed and a managed switch is always going to be far more expensive than a hub. This is mostly useful if you already have the infrastructure in place and just want to look at one of the systems attached to the switch. Like I pointed out, though, it isn't as expensive as you think ($175 US for the Netgear). That's equivalent to about 2 hours of labor time at the rate my company charges. -- DE ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
