Ethereal

31/05/2006, 21h33

Hi,

I would like to sniff packet for a TCP/IP device (not a PC) in my
network. This device "talk" with another device ans I would like to
see the traffic between this two device.
I scan all the traffic with Ethereal, but I see just the traffic that I
receive (the PC with Ethereal) and the brodcast.

Someone know what is my problem?

Thanks.

31/05/2006, 22h15

Mtn_bikers ha escrito:

> Hi,
>
> I would like to sniff packet for a TCP/IP device (not a PC) in my
> network. This device "talk" with another device ans I would like to
> see the traffic between this two device.
> I scan all the traffic with Ethereal, but I see just the traffic that I
> receive (the PC with Ethereal) and the brodcast.
>
> Someone know what is my problem?
>
> Thanks.

How are all those devices connected??? I guess they are using a
switch...that would explain
what you are seeing. If that is the case, try using span ports.

Lokke.

31/05/2006, 22h29

Mtn_bikers <mtn_bikers@msn.com> wrote:
> I would like to sniff packet for a TCP/IP device (not a PC) in my
> network. This device "talk" with another device ans I would like to
> see the traffic between this two device. I scan all the traffic
> with Ethereal, but I see just the traffic that I receive (the PC
> with Ethereal) and the brodcast.

Assuming your systems are all connected via a switch or switches...

Switches perform "traffic isolation." The switch will "learn" on which
port it sees a given MAC (ethernet) address as a source and will then
send traffic destined to that MAC only to that port. Nodes on other
ports will not see the traffic even if their interfaces are in
promiscuous mode.

You either need to connect the system of interest and the sniffing
system with a _hub_ (not a switch, not a bogusly named "switching
hub") that you then connect to the switch port of the system of
interest.

Otherwise, if you have a sufficiently capable switch, you can
designate a port to be a "monitor port" or somesuch name (varies by
switch) and that traffic to/from another port should be
mirrored/monitored onto that port.

rick jones
--
a wide gulf separates "what if" from "if only"
these opinions are mine, all mine; HP might not want them anyway...

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

31/05/2006, 23h12

From: "Mtn_bikers" <mtn_bikers@msn.com>

| Hi,
|
| I would like to sniff packet for a TCP/IP device (not a PC) in my
| network. This device "talk" with another device ans I would like to
| see the traffic between this two device.
| I scan all the traffic with Ethereal, but I see just the traffic that I
| receive (the PC with Ethereal) and the brodcast.
|
| Someone know what is my problem?
|
| Thanks.

The PC with Ethereal needs to be on a hub, not an Ethwernet Switch, and needs a promiscuous
NIC and drivers on the same network as the TCP/IP device/appliance.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

01/06/2006, 13h22

The PC with ethereal is on the same "HUB" of my first device. If I
telnet the device from this PC I saw the packet but if the device talk
to another device, I don't see anything.

01/06/2006, 22h13

From: "Mtn_bikers" <mtn_bikers@msn.com>

|
| The PC with ethereal is on the same "HUB" of my first device. If I
| telnet the device from this PC I saw the packet but if the device talk
| to another device, I don't see anything.

You need to have a promiscuous LAN adapter on the Ethereal based platform.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

01/06/2006, 22h48

Mtn_bikers <mtn_bikers@msn.com> wrote:
> The PC with ethereal is on the same "HUB" of my first device. If I
> telnet the device from this PC I saw the packet but if the device talk
> to another device, I don't see anything.

Since you put "HUB" in quotes, is it at all possible that it is really
a switch? I'm not sure it is conclusive, but if you can get
full-duplex, I believe that means it is a switch and not a hub and so
the previous post(s) about switches and traffic isolation would apply.

Assuming of course that ethereal is indeed putting the interface into
promiscuous mode.

rick jones
--
Wisdom Teeth are impacted, people are affected by the effects of events.
these opinions are mine, all mine; HP might not want them anyway...

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

31/05/2006, 21h33	#1
Mtn_bikers Messages: n/a Hébergeur:	Ethereal Hi, I would like to sniff packet for a TCP/IP device (not a PC) in my network. This device "talk" with another device ans I would like to see the traffic between this two device. I scan all the traffic with Ethereal, but I see just the traffic that I receive (the PC with Ethereal) and the brodcast. Someone know what is my problem? Thanks.

31/05/2006, 22h15	#2
lokke Messages: n/a Hébergeur:	Re: Ethereal Mtn_bikers ha escrito: > Hi, > > I would like to sniff packet for a TCP/IP device (not a PC) in my > network. This device "talk" with another device ans I would like to > see the traffic between this two device. > I scan all the traffic with Ethereal, but I see just the traffic that I > receive (the PC with Ethereal) and the brodcast. > > Someone know what is my problem? > > Thanks. How are all those devices connected??? I guess they are using a switch...that would explain what you are seeing. If that is the case, try using span ports. Lokke.

31/05/2006, 22h29	#3
Rick Jones Messages: n/a Hébergeur:	Re: Ethereal Mtn_bikers <mtn_bikers@msn.com> wrote: > I would like to sniff packet for a TCP/IP device (not a PC) in my > network. This device "talk" with another device ans I would like to > see the traffic between this two device. I scan all the traffic > with Ethereal, but I see just the traffic that I receive (the PC > with Ethereal) and the brodcast. Assuming your systems are all connected via a switch or switches... Switches perform "traffic isolation." The switch will "learn" on which port it sees a given MAC (ethernet) address as a source and will then send traffic destined to that MAC only to that port. Nodes on other ports will not see the traffic even if their interfaces are in promiscuous mode. You either need to connect the system of interest and the sniffing system with a _hub_ (not a switch, not a bogusly named "switching hub") that you then connect to the switch port of the system of interest. Otherwise, if you have a sufficiently capable switch, you can designate a port to be a "monitor port" or somesuch name (varies by switch) and that traffic to/from another port should be mirrored/monitored onto that port. rick jones -- a wide gulf separates "what if" from "if only" these opinions are mine, all mine; HP might not want them anyway... feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

31/05/2006, 23h12	#4
David H. Lipman Messages: n/a Hébergeur:	Re: Ethereal From: "Mtn_bikers" <mtn_bikers@msn.com> \| Hi, \| \| I would like to sniff packet for a TCP/IP device (not a PC) in my \| network. This device "talk" with another device ans I would like to \| see the traffic between this two device. \| I scan all the traffic with Ethereal, but I see just the traffic that I \| receive (the PC with Ethereal) and the brodcast. \| \| Someone know what is my problem? \| \| Thanks. The PC with Ethereal needs to be on a hub, not an Ethwernet Switch, and needs a promiscuous NIC and drivers on the same network as the TCP/IP device/appliance. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm

01/06/2006, 13h22	#5
Mtn_bikers Messages: n/a Hébergeur:	Re: Ethereal The PC with ethereal is on the same "HUB" of my first device. If I telnet the device from this PC I saw the packet but if the device talk to another device, I don't see anything.

01/06/2006, 22h13	#6
David H. Lipman Messages: n/a Hébergeur:	Re: Ethereal From: "Mtn_bikers" <mtn_bikers@msn.com> \| \| The PC with ethereal is on the same "HUB" of my first device. If I \| telnet the device from this PC I saw the packet but if the device talk \| to another device, I don't see anything. You need to have a promiscuous LAN adapter on the Ethereal based platform. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm

01/06/2006, 22h48	#7
Rick Jones Messages: n/a Hébergeur:	Re: Ethereal Mtn_bikers <mtn_bikers@msn.com> wrote: > The PC with ethereal is on the same "HUB" of my first device. If I > telnet the device from this PC I saw the packet but if the device talk > to another device, I don't see anything. Since you put "HUB" in quotes, is it at all possible that it is really a switch? I'm not sure it is conclusive, but if you can get full-duplex, I believe that means it is a switch and not a hub and so the previous post(s) about switches and traffic isolation would apply. Assuming of course that ethereal is indeed putting the interface into promiscuous mode. rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email