Sniffing packets on wire

hasitha257hasitha257 Member Posts: 25 ■□□□□□□□□□
in CCNP
Anyone has any ideas how to sniff the packets /frames sent between two routers? besides debug!!!!
· Share on FacebookShare on Twitter

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    Wireshark/tcpdump. How are the routers connected?
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
  • chmorinchmorin Member Posts: 1,446 ■■■■■□□□□□
    The cunning use of a hub.
    Currently Pursuing
    WGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)
    mikej412 wrote:
    Cisco Networking isn't just a job, it's a Lifestyle.
    · Share on FacebookShare on Twitter
  • hasitha257hasitha257 Member Posts: 25 ■□□□□□□□□□
    networker050184, good question , they are connected using a cross over cable.

    chmorin, good idea. Hub will slow my network but will help in sniffing the packets. First I tried using a Layer 2 switch but didn't work and had to scratch my head to figure out. Switch doesn't forward the frames out every port like the hub. icon_cheers.gif
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    hasitha257 wrote: »
    First I tried using a Layer 2 switch but didn't work and had to scratch my head to figure out. Switch doesn't forward the frames out every port like the hub. icon_cheers.gif
    Get a managed switch that supports SPAN. The other way is to overflow the MAC table in the switch so it goes into failure mode and turns into a hub but thats not a good idea to do on a production network.
    · Share on FacebookShare on Twitter
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    Depends on the routers. On a 7600 you can monitor a port and "mirror" the traffic to another port so that you can plug a laptop in and use a packet capture software like TCPDump or Wireshark. or if your router doesn't support that functionality, you can use a hub (not a switch) as others have suggested.

    Or if you're lucky enough to have a NAM in your router, you can just use that :)
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    tiersten wrote: »
    Get a managed switch that supports SPAN.

    you beat me to it! SPAN was actually the word i was looking for :)
    Cisco was my first networking love, but my "other" router is a Mikrotik...
    · Share on FacebookShare on Twitter
  • jason_lundejason_lunde Member Posts: 567
    You could look into RITE....
    IP Traffic Export [Cisco IOS and NX-OS Software] - Cisco Systems

    May fit your needs, hang a capture box off an available port.
    · Share on FacebookShare on Twitter
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Make a Passive Network Tap
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    veritas_libertas wrote: »
    Make a Passive Network Tap
    No. Whoever wrote that is an idiot and didn't actually use or even test it. That instructable will screw up your connection and even if it did work, it'd only give you one direction only. Its got all 3 sockets wired in parallel and you'll have the monitoring device trying to transmit on the same pairs as one of the tapped devices.

    If you want to make a passive network tap then do it like this. You'll need two ethernet interfaces on the monitoring device to monitor both directions. If you only care about one direction then you can omit one of the middle sockets and use only one monitoring port.
    · Share on FacebookShare on Twitter
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    tiersten wrote: »
    No. Whoever wrote that is an idiot and didn't actually use or even test it. That instructable will screw up your connection and even if it did work, it'd only give you one direction only. Its got all 3 sockets wired in parallel and you'll have the monitoring device trying to transmit on the same pairs as one of the tapped devices.

    If you want to make a passive network tap then do it like this. You'll need two ethernet interfaces on the monitoring device to monitor both directions. If you only care about one direction then you can omit one of the middle sockets and use only one monitoring port.

    Thanks Tiersten.
    · Share on FacebookShare on Twitter
  • AlanJamesAlanJames Member Posts: 230
    I'm actually heading to a client site tomorrow to do some traffic analysis, they have the worst network in the world. A dlink is their core switch - lol

    But it supports port mirroring, So I've configured up NTOP (awesome tool, check it out) on ubuntu
    · Share on FacebookShare on Twitter
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    This NTOP is incredible!

    Thanks a lot, you just distracted me from my CCNA studies! icon_lol.gif
    · Share on FacebookShare on Twitter
  • tierstentiersten Member Posts: 4,505
    If you don't care about the actual payload but only care about what is being sent/received then use NetFlow. If its a very high throughput link then be careful that you don't bring the router to its knees by turning on full NetFlow. You may need to use sampling instead.

    NTop can act as a NetFlow Collector if you wish.
    · Share on FacebookShare on Twitter
  • hasitha257hasitha257 Member Posts: 25 ■□□□□□□□□□
    Thankyou all for the help !!!!icon_cheers.gif
    · Share on FacebookShare on Twitter
  • logicmyfootlogicmyfoot Member Posts: 82 ■■□□□□□□□□
    tiersten wrote: »
    Get a managed switch that supports SPAN. The other way is to overflow the MAC table in the switch so it goes into failure mode and turns into a hub but thats not a good idea to do on a production network.

    SPAN is what i would recommend. Attacking your switch dosent makes sense and if port-security or mac-spoofing protection is there then it wont be of any use
    · Share on FacebookShare on Twitter
  • networker050184networker050184 Mod Posts: 11,962 Mod
    So, I guess you don't get sarcasm....
    An expert is a man who has made all the mistakes which can be made.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.