Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sniffing on switched network

From: Lup-Houh Ng <luphouh () yahoo com>
Date: Wed, 9 Jan 2002 15:00:09 -0800 (PST)

Eh, tough.  If you have to work within the constraints of
the switches, then this is what I'd suggest:

1. Recognize the fact that you'll probably not see all the
   traffic, unless all the switches are replaced with hubs.
   Even if you can mirror all ports on the switches/VLANs,
   some frames will still be dropped from the analyzing
   /mirroring port if the traffic load is high.
2. Take a step back and ask what it is that you really need
   to see, and try to sniff the port thru which most of 
   those traffic will flow e.g. if there is problem between
   two different network segments then sniff the router
   or the firewall that sits between these two segments.
3. Assuming that the traffic pattern is pretty consistent
   thru time, sniff the ports one-by-one and then try to
   piece the whole picture together.  (Yeah, I know, tedious.
   But if this is what it takes to get the job done ...)
4. You can also try stunts like connecting all the analyzing
   /mirroring ports on each of the switches to a hub and
   sniff from there.  At the least, you get to see more 
   than one port.  :)

rgds

--- lup houh


--- Pierre-Yves BONNETAIN <bonnetain () acm org> wrote:

   Hello you all, and (first of all) a very happy and secure new year.
Well,
as secure as possible.

   I am currently working on some "pathologic uses" of one customer's
network.
In order to get a proper snapshot of what is happening on this network,
I need
to sniff packets.
   He is using 3Com Superstack switches (3300 and 1100), stacked into a
single
switch through back-panel cables. I am used to HP switches, and those
have one
interesting feature to duplicate all trafic going through the switch,
whatever 
the port it comes from, to a specific port (where I can hook up my
analyzer).
   As far as the Suparstack are concerned, it seems it can only to this
for
one port (and not for all ports of the switch), and the "monitored" port
and
the "analyzing" one must be on the same physical switch.
   Has anyone of you met this kind of need/switches config ? How did you
solve
it (other than changing switches to hub, which could be done in a last
resort
but I would prefer not to touch the physical components if possible) ?
   Thanks,
-- 
-+-+ Pierre-Yves BONNETAIN
     Consultant Internet/Sécurité --- B & A Consultants
     Tel : +33 (0) 563.277.241 - Fax : +33 (0) 563.277.245


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: