Re: ethereal capture

[Matt Simmons <matts () wirefire com>]

Hi. 
When you're sniffing a switched segment, then yes, ideally you will only see 
your traffic, plus broadcast traffic. However, if you configure the Cisco 
switch to monitor other ports into your specific port, then you will see all 
traffic, providing that your network card is in Promiscuous mode. The key is 
to tell the switch that you want to recieve all the traffic, otherwise it 
will only give you frames destined for your MAC address. Hope I was able to 
help.

--Matt 

-- 
-------------------
Matt Simmons
Assistant Network Administrator
304.580.8080x5007
Fibernet LLC

On Wednesday 17 September 2003 07:17 pm, Cat Thrasher wrote:
> Hi, Please advise on my question.
> I thought when you are sniffing a switched segment, you are only seeing
> broadcast traffic. I see source Workstation(not the one I am monitoring
> on)--Dest Webserver inside on my network and protocol http. Please tell me
> if this is usual.
>
> I have ethereal on a laptop. I did a port monitor on a Cisco Switch and
> captured traffic from one port. (so I thought) I thought I'd only see what
> the workstation on port fast ethernet 0/ 38 was doing. But like I said
> above, I see lots of http conversations and tcp conversations where the
> dest port is not all F's, or 255's. And the source is not the workstation
> on the port I am monitoring.
>
> Thanks alot.
>
>
> Cat Thrasher

---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------