Network monbitor questions

rjbarlow

Hi all,

read on a well known book:

In theory, there’s a huge difference between the two versions of Network Monitor:
in the basic version, you can capture only the local computer’s communication exchanges, and in the full version, you can capture traffic exchanges among any computers on the entire network segment. Sadly, however, this distinction really holds only for networks that use hubs instead of switches to connect hosts. In reality, most modern networks use switches, which forward frames only to the recipient computer

Then I must suppose that Network monitor, even the full version shipped with SMS, can capture only traffic sent from and to a local connection over the computer on which Network monitor runs?

Because I have not understood well the role of Network Monitor driver. Which sense have to install components on a remote machine if Network monitor can capture traffic just locally arrived? At least is that what I understand from the abstract above.

A bit confused.

royal

Hubs = 1 broadcast/collision domain
Switches = 1 broadcast and 1 collision domain for each port

Switches work on layer 2 which is the MAC layer while hubs work on layer 1 which is the physical layer.

Because of this, switches remember the MAC addresses for systems plugged into a specific port.

So, it's been a long time (2003 since I did Network+), but I believe this is the process if I remember correctly:

System 1 wants to send data to System 2. System 1 does an ARP request for the IP Address and gets the MAC back and adds the IP/MAC to the ARP table. System 1 sends data and includes the MAC information in it. Since the switch listens on layer 2, it knows what port to send the data directly to.

But since a HUB listens on layer 1, it can't do any of this and you have port flooding (1 collision domain) for the entire hub.

Because of this, when you run network monitor using the non-full version, it's forced for system to system. When you get the full version, it can do promiscuous mode and capture all data. But as you stated from the book, if you're using a switch, even when using the full version, it'll still only do system to system due to the way switches work.

Make sense?

sprkymrk

royal wrote:

Because of this, when you run network monitor using the non-full version, it's forced for system to system. When you get the full version, it can do promiscuous mode and capture all data. But as you stated from the book, if you're using a switch, even when using the full version, it'll still only do system to system due to the way switches work.

Make sense?

This is why if you use the full version, you would use it on a system that is connected to a special port on the switch configured to "mirror" all other port traffic to that port. In this way you can sniff all network traffic that traverses that switch. It's a very common way to monitor network traffic.

royal

sprkymrk wrote:

royal wrote:

Because of this, when you run network monitor using the non-full version, it's forced for system to system. When you get the full version, it can do promiscuous mode and capture all data. But as you stated from the book, if you're using a switch, even when using the full version, it'll still only do system to system due to the way switches work.

Make sense?

This is why if you use the full version, you would use it on a system that is connected to a special port on the switch configured to "mirror" all other port traffic to that port. In this way you can sniff all network traffic that traverses that switch. It's a very common way to monitor network traffic.

Good to know. I believe Astorr was talking about this a couple weeks ago on mirroring all the data on a specific port to monitor what is sending so much data over a WAN link.

NetAdmin2436

rjbarlow,
We must be on the same chapter! lol, I was just reading about this last night.

astorrs

Yup, the only caveat is that you will require a managed switch. Here is some links on how to set it up for different kinds of switches:

Cisco, Extreme, Foundry and Juniper: http://www.networkintrusion.co.uk/switch.htm#295035503750

HP:

config mirror-port A6 interface ethernet A5 monitor write mem

Dell:

interface ethernet 1/5 port monitor ethernet 1/6 both

(Where port A6 or 1/6 is the port to be mirrored and A5 or 1/5 is the port with your PC connected to it.)

The other option in a scenario like this is to use a network TAP.

rjbarlow

Yes man, have sense.

In fact, when hubs are used, all the traffic is sent to all the computers in that segment; that's ok, because it's shared.

From this statement, I suppose that the basic Network Monitor just discards frames not sent to its computer from analysis. That seems to me ok.

But I read even this:

When you install Network Monitor, the Network Monitor Driver is installed automatically on the same computer. However, sometimes you need to install the Network
Monitor Driver without installing the Network Monitor tool itself. For example, if a user of the full version of Network Monitor wants to capture traffic from a remote Windows XP Professional computer, he or she must install the Network Monitor Driver on that remote computer.

Let me lay down that scenario:



What I don't realize is:
- If Computer 1 sends data to computer 3, for example, computer 2 gets in all the cases those frames, so I don't understand why install Network monitor driver as additional component on Computer 1 to capture its frames.

Thx

NetAdmin2436

If you didn't have the network monitor driver on computer 1, then you'd only be able to capture data to and from Computer 2. You as the administrator would be sitting in front of computer 2.

For every computer you want to capture packets from remotely, you need the network monitor driver on the remote computer. So, in the picture above you want to monitor packets to and from Computer 1 and computer 2, so computer 1 has to have the network monitor driver. Since you the administrator would not be sitting in front of computer 1, you do not need the network monitor tools, but you would need the drivers.

You will only be able to monitor network traffic to and from computers 1 and 2. You will see computer 3 traffic only if they send to computer 1 or computer 2 (or vice versa). Similarily If computer 1 or 2 sends to computer 4 (ie, another computer not pictured) you will still see that data coming in or out of computer 1 or 2. Now, if computer 3 sends to computer 4 you will NOT be able to monitor the traffic.

Now, if you wanted to monitor ALL traffic to and from computer 3, then you'd have to again install the network monitor driver on computer 3.

I know i didn't do a good job of explaining, but this is how I understand it. Make any more sense?

rjbarlow

Yes, man.

I think it can be said, finally:

- You need the administration tool of Network monitor in the place You are (as administrator).
- You need the Network monitor driver on all the machines You want to capture from.
- To capture frames by remote machines, is needed a network that use hubs instead switches and the full version af Network monitor administr. tool.

Altough I need understand more about promiscuous mode and the other arguments You posted before, I think this is enough and go ahead in another time.

Thx all.

P.s. Ah Netadmin of course we are on the same chapter, so stay tuned

NetAdmin2436

rjbarlow wrote:

Yes, man.

I think it can be said, finally:

- You need the administration tool of Network monitor in the place You are (as administrator).
- You need the Network monitor driver on all the machines You want to capture from.
- To capture frames by remote machines, is needed a network that use hubs instead switches and the full version af Network monitor administr. tool.

Altough I need understand more about promiscuous mode and the other arguments You posted before, I think this is enough and go ahead in another time.

Thx all.

P.s. Ah Netadmin of course we are on the same chapter, so stay tuned

Yep, I think you got the basics down my friend.