Sniffing

MK888 · Post by **MK888** » Thu Feb 05, 2004 9:19 pm

I am trying to setup a sniffer on my network. I am using a 3Com4400 switch. I cant find where to setup a port as a monitor port, so I can monitor all traffic on the switch. Anyone know how to do this on a 3com switch??? I can sort of monitor the health of the switch through the management software, But I really want an idea of packet count..

TheManiacal1 · Post by **TheManiacal1** » Fri Feb 06, 2004 2:51 pm

well you have to remember that the nature of "switching" usualy prevents you from sniffing all traffic (w/ exception to broadcast traffic). what security expert laura chappell says to do is "hub out". find your suspect user(s), disconnect them from the switch, connect them to a hub (a non-switching hub), and sniff away. suggested packet analyzers include: NAI's Sniffer and WildPacket's EtherPeek.

Pugsley · Post by **Pugsley** » Fri Feb 06, 2004 4:07 pm

i dont know on the 3 com.. but i know on a cisco ist possible to turn one port into a brodcast port for sniffing.

TheManiacal1 · Post by **TheManiacal1** » Wed Feb 11, 2004 4:12 pm

yeah, you can do that... depending on the particular model however. there is something known as a "man in the middle" attack which simulates hubbing a port out but i'm not familiar enough with it to explain how to do it.

Magexx9 · Post by **Magexx9** » Wed Feb 18, 2004 8:09 pm

You are right about not being able to sniff on a switched networked, because not all the traffic is broadcasted.... BUT programs do exist to sniff network traffic on a switched network. For sniffing on a hub I recommend Ethereal, but for the switched network use Ettercap. Might be a pain to get going in windows but it is possible. It's all based on man in the middle attacks, which occur at the link layer. Hope I've helped, use google and do some reading.

Magexx9

PS. DO NOT, I REPEAT DO NOT run ettercap if you a directly connected to a cable modem... You might get a nasty phone call