This wiki has been migrated to and is now deprecated. Please use that site instead.
Differences between revisions 1 and 41 (spanning 40 versions)
Revision 1 as of 2005-02-12 21:47:28
Size: 6345
Editor: GuyHarris
Comment: Capture setup page for Ethernet.
Revision 41 as of 2008-04-24 17:15:50
Size: 210
Editor: 78
Comment: 0.1
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Ethernet capture setup =

The following will explain capturing on ["Ethernet"] a bit.

The Ethernet hardware on the network interface card (NIC) filters all packets received, and forwards all ["Unicast"]/["Multicast"] packets destinated to the specific host and all ["Broadcast"] packets to the software layers.

To see/capture all packets received by the NIC, you can set your NIC into promiscuous mode, so the filter mentioned above is simply swiched off and all packets received will be forwarded to the software layers.

== Shared Ethernet ==

In the old days, Ethernets used shared networks (using shared media or hubs) to connect the Ethernet nodes together, meaning all Ethernet packets where received by all nodes on that network.

As all packets to all nodes are available at the receiving NIC, switching this NIC to promiscuous mode, really all packets on that Ethernet network can be captured.

== Switched Ethernet ==

Today, a typical Ethernet network will use switches to connect the Ethernet nodes together. This can increase network performance a lot, but makes life much harder for capturing packets.

An Ethernet switch will do a similar thing to the Ethernet hardware mentioned above, but inside the switch. It filters all packets received, and forwards all ["Unicast"]/["Multicast"] packets destined to the specific host and all ["Broadcast"] packets to the Ethernet node.

As the network interface card doesn't even see packets not destined for it, it doesn't make any difference to switch that NIC to the promiscuous mode or not.

The following will describe some methods to circumvent this problem.

=== Capture on the machine your interested in ===

If you only need the capture data from a specific host, try to capture on that machine.

 * Advantage: Easy to use
 * Disadvantage: Other traffic not available

=== Capture using an Ethernet hub ===

If you have an "old" Ethernet hub available, put it inside the Ethernet line you want to capture from. This could be the line between a switch and a node or between two switches.

Beware that this will interrupt network traffic while you plug the cables!

This method can/will affect network performance, if you are using EthernetFullDuplex mode. This is not optimal for network troubleshooting.

 * Advantage: Often such a hub is available
 * Disadvantage: Will affect EthernetFullDuplex traffic

=== Capture using a monitor mode of the switch ===

Some Ethernet switches, namely the more expensive manageable ones, have a monitor mode. This monitor mode can dedicate a port to connect your (Ethereal) capturing device. It's sometimes called 'port mirroring', 'port monitoring', 'Roving Analysis' (3Com), or 'Switched Port Analyzer' or 'SPAN' (Cisco). Using the switch management, you can select both the monitoring port and assign a specific port you wish to monitor. Actual procedures vary between switch models; you may need to use a terminal emulator, specialised SNMP client software or (more recently) a Web browser. Caution: the monitoring port must be at least as fast as the monitored port, or you will certainly lose packets.

See SwitchReference for details about specific switch models.

Rumour has it that some switches can monitor the whole throughput of the switch. As a switch can transfer more traffic than a single line can transmit, you will be unlikely to see all traffic.

 * Advantage: Easy to use if such a switch available
 * Disadvantage: Expensive switch needed, capture packet loss at high traffic

=== Capture using a network tap ===

Several vendors offer network taps, which can be plugged into a line.

These taps will have four connectors: two for the existing line and two outputs for both directions of the EthernetFullDuplex traffic.

To use these taps, you have to capture both outputs. As Ethereal cannot capture from two interfaces at once, you have to start two Ethereal instances for capturing and merge the resulting capture files together.

On most Unix systems, including Red Hat, two Ethernet ports can be bonded, and Ethereal can use the bonded interface. This prevents having to run two instances of Ethereal and merging them together. For more information, check on bonding for your OS type.

 * Advantage: All packets of EthernetFullDuplex traffic can be captured, won't affect Ethernet traffic
 * Disadvantage: Costly, uncomfortable to work with (until Ethereal is able to capture from multiple interfaces)

=== Capture using a MITM (Man-In-The-Middle) software ===
To capture packets going between two computers on a switched network, you can use a MITM attack (ARP Poisoning.) This type of attack will fool the two computers into thinking that your MAC address is the MAC address of the other machine. This will in turn make the switch route all of their traffic to your computer where you can sniff it and then send the traffic along as if nothing ever happened. This type of attack can cause havoc on some switches and LANs so use it carefully. Please do not try this on any LAN other than your own.

See [ Ettercap - ARP Poisoning HowTo] for more info.

 * Advantage: Cheap
 * Disadvantage: Can confuse switches, capture packet loss at high traffic

=== MAC Flooding ===

Switches keep a translation table that maps various MAC addresses to the physical ports on the switch. As a result of this, a switch can intelligently route packets from one host to another, but it has a limited memory for this work. MAC flooding makes use of this limitation to bombard the switch with fake MAC addresses until the switch can't keep up. The switch then enters into what is known as a `failopen mode', wherein it starts acting as a hub by broadcasting packets to all the machines on the network. Once that happens sniffing can be performed easily. MAC flooding can be performed by using macof, a utility which comes with the [ dsniff] suite.

 * Advantage: Cheap
 * Disadvantage: Will affect EthernetFullDuplex traffic, capture packet loss at high traffic

== External Links ==
 * [ SwitchSniff] article on [ Linux Journal]
ZXQNdw <a href="">aophwdvmbyou</a>, [url=]tadyvzvrwqon[/url], [link=]okdxkxeslkhh[/link],

CaptureSetup/Ethernet (last edited 2018-11-19 08:30:36 by GuyHarris)