Sniffer & Router
Sniffer & Router
I have 5 systems behind a Linksys 8 port router. Before I had the router, I used Analyzer, a great freeware sniffer. How do I use the sniffer to monitor my home network. I am only able to capture packets coming & going from my own system. Must I somehow allow this app to function through the router with some setting in the router itself?
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
You will only be able to capture packets to/from the system that is in promiscuous mode and local traffic only. What is it exactly you are trying to do?
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
Well, before I had the router, I was capturing all of the packets to & from my system, as well as many packets headed to other systems on my RR cable connection. That was fun, but I am not interested in what RR is sending other users.
I want to be able to capture what is coming & going to the other systems on my home network while sitting at my own computer. Not just packets that are sent to me by another computer here, or packets that I am sending to one of the other computers here. I want 'em so I can monitor what info is coming & going.
3 of the systems are my 3 kids computers. They sometimes on a whim d/l an app that may be spyware, or they may inadvertantly d/l a virus. I have firewalls and adaware etc, but I want to be able to inspect the packets without having to move logs to & from the different machines. I want to look in real time.
I want to be able to capture what is coming & going to the other systems on my home network while sitting at my own computer. Not just packets that are sent to me by another computer here, or packets that I am sending to one of the other computers here. I want 'em so I can monitor what info is coming & going.
3 of the systems are my 3 kids computers. They sometimes on a whim d/l an app that may be spyware, or they may inadvertantly d/l a virus. I have firewalls and adaware etc, but I want to be able to inspect the packets without having to move logs to & from the different machines. I want to look in real time.
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
With a router you are kind of limited to local traffic, but you still have a options.
One thing you could do is install the Netmon Packet Capture driver you have installed on your computer now to all the computers you wish to remotely monitor. In analyzer if you begin a new packet capture session you will notice an option to select adapter then you can select a remote adapter and specify the ip address of the remote adapter.
Doing this you should be able to monitor just about all packet activity on the Lan from one primary system.
regards,
greEd
One thing you could do is install the Netmon Packet Capture driver you have installed on your computer now to all the computers you wish to remotely monitor. In analyzer if you begin a new packet capture session you will notice an option to select adapter then you can select a remote adapter and specify the ip address of the remote adapter.
Doing this you should be able to monitor just about all packet activity on the Lan from one primary system.
regards,
greEd
http://www.computerglitch.net"I'm doing a (free) operating system (just a hobby, won't be big and professional...) for AT clones... It's not portable and it probably [won't ever] support anything other than AT hard disks, as thats all I have :-(." --Posted on Usenet August 1991 by Linus Trovalds
curiosity builds security | dd if=/dev/zero of=/dev/hda bs=512 count=100
EOF
-
chimdogger
- Posts: 2785
- Joined: Fri Jan 26, 2001 12:00 pm
One comment though, I have noticed just by testing a sniffer in promiscuous mode on my road runner connection that Time Warner blocks packet sniffing beyond your cable modem. I only can sniff packets coming in from the RR router not individuals on my area cable connection. I am uncertain how RR does this but it is what I have found. I was using ethreal packet sniffer.
Chimmy
PS It was for educational purposes only....
ChimmyPS It was for educational purposes only....
Kinky is using a feather.
Perverted is using the whole chicken.
Perverted is using the whole chicken.
Do the nodes plug directly into the router? If they do then the routers ports may act like the ports on a switch. Get a hub and plug everything into it, then you'll be able to sniff all of the network traffic inside the gateway.
Just as Chimdogger, I'm also a fan of ethereal (http://www.ethereal.com/). It's a full featured sniffer ported from UNIX to Win32. They just released a beta of the packet driver so it works with XP. I've used other sniffers, but this one is small and stable and you can't beat the price.
Just as Chimdogger, I'm also a fan of ethereal (http://www.ethereal.com/). It's a full featured sniffer ported from UNIX to Win32. They just released a beta of the packet driver so it works with XP. I've used other sniffers, but this one is small and stable and you can't beat the price.
I haven't tried this myself, but I was told you need to connect all pc's to a Hub. Then connect the Hub to your Router. You will then be able to sniff all the packets going to and from each pc on your home network.
Here is a email I sent to the support team for CommView asking almost the same question:Hello Richard,
At 07:53 PM 7/6/2001 -0400, you wrote:
> I am currently demoing one of your product called CommView. I have 2 PC's connected via a Linksys BEFSR41 Router. I have noticed that the program will only monitor the packets on the PC it is installed on. The traffic of the other PC does not show up. Is this do to the type of router?
REPLY:
Such routers work as switches, i.e. they prevent promiscuous sniffing. Hence the problem, you can' t capture any pass-through packets. I believe all home routers work that way. The only workaround I can think of is to connect all PCs to a hub, and then connect the hub to one of the router's ports. It's a clumsy solution, but I'm afraid that's all you can do.
Best regards,
Andrew Riedel
TamoSoft Support
Here is a email I sent to the support team for CommView asking almost the same question:Hello Richard,
At 07:53 PM 7/6/2001 -0400, you wrote:
> I am currently demoing one of your product called CommView. I have 2 PC's connected via a Linksys BEFSR41 Router. I have noticed that the program will only monitor the packets on the PC it is installed on. The traffic of the other PC does not show up. Is this do to the type of router?
REPLY:
Such routers work as switches, i.e. they prevent promiscuous sniffing. Hence the problem, you can' t capture any pass-through packets. I believe all home routers work that way. The only workaround I can think of is to connect all PCs to a hub, and then connect the hub to one of the router's ports. It's a clumsy solution, but I'm afraid that's all you can do.
Best regards,
Andrew Riedel
TamoSoft Support
That seems like it would work, but using a hub ahead of the router opens could create a bottleneck, right? eg, possibly result in collisions and reduced speeds?
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
-
LinkLogger
- Member
- Posts: 41
- Joined: Tue Apr 17, 2001 12:00 am
Have you tried Link Logger or other Logging products for the Linksys? From one system you would see what sites your kids are visiting and such. With Link Logger you could even set an alarm on port 21 (ftp) such that when one of the kids downloaded something you could be informed immediately for example, with the traffic alerts you could see inbound and outbound trojan traffic.
Blake
http://www.LinkLogger.com
Blake
http://www.LinkLogger.com
Tony,
Because the hub broadcasts all packets to all nodes, yes, it can potentially slow things down. However, how many PC's are we talking about? 3? 5? 8?. More importantly, how many PC are active at one time? If it's only a couple of machines, there will be very little performance loss.
This would be an issue if you were cascading several hubs but given that it is a home network, You'll be able to measure the performance loss with software, but you won't be able to tell via normal use.
There isn't a big difference between an unmanaged switch and a hub in terms of performance.
Besides, inside the gateway is either 10BaseT or 100BaseT. Even if you have a T1 connection, 10BaseT still has ~7x more bandwidth than your connection out. Regardless of a hub or switch your I'net connection is still the limiting component.
Because the hub broadcasts all packets to all nodes, yes, it can potentially slow things down. However, how many PC's are we talking about? 3? 5? 8?. More importantly, how many PC are active at one time? If it's only a couple of machines, there will be very little performance loss.
This would be an issue if you were cascading several hubs but given that it is a home network, You'll be able to measure the performance loss with software, but you won't be able to tell via normal use.
There isn't a big difference between an unmanaged switch and a hub in terms of performance.
Besides, inside the gateway is either 10BaseT or 100BaseT. Even if you have a T1 connection, 10BaseT still has ~7x more bandwidth than your connection out. Regardless of a hub or switch your I'net connection is still the limiting component.
We had a...security problem at work. Our IT staff required all hubs be replaced with switches to prevent snooping. I am fairly certain that you cannot capture packets not addressed to/from your machine on a switched network - that is probably the attribute that prevents the bottlenecks Tony is describing.
Skye
Skye
anything is possible - nothing is free
Blisster wrote:It *would* be brokeback bay if I in fact went and hung out with Skye and co (did I mention he is teh hotness?)