Options
Sniffing packets on wire
hasitha257
Member Posts: 25 ■□□□□□□□□□
in CCNP
Anyone has any ideas how to sniff the packets /frames sent between two routers? besides debug!!!!
Comments
-
Options
networker050184
Mod Posts: 11,962 Mod
Wireshark/tcpdump. How are the routers connected?An expert is a man who has made all the mistakes which can be made. -
Optionshasitha257
Member Posts: 25 ■□□□□□□□□□
networker050184, good question , they are connected using a cross over cable.
chmorin, good idea. Hub will slow my network but will help in sniffing the packets. First I tried using a Layer 2 switch but didn't work and had to scratch my head to figure out. Switch doesn't forward the frames out every port like the hub.
-
Optionstiersten
Member Posts: 4,505
Get a managed switch that supports SPAN. The other way is to overflow the MAC table in the switch so it goes into failure mode and turns into a hub but thats not a good idea to do on a production network.hasitha257 wrote: »First I tried using a Layer 2 switch but didn't work and had to scratch my head to figure out. Switch doesn't forward the frames out every port like the hub. -
Options
vinbuck
Member Posts: 785 ■■■■□□□□□□
Depends on the routers. On a 7600 you can monitor a port and "mirror" the traffic to another port so that you can plug a laptop in and use a packet capture software like TCPDump or Wireshark. or if your router doesn't support that functionality, you can use a hub (not a switch) as others have suggested.
Or if you're lucky enough to have a NAM in your router, you can just use that
Cisco was my first networking love, but my "other" router is a Mikrotik... -
Optionsvinbuck
Member Posts: 785 ■■■■□□□□□□
Get a managed switch that supports SPAN.
you beat me to it! SPAN was actually the word i was looking for Cisco was my first networking love, but my "other" router is a Mikrotik... -
Optionsjason_lunde
Member Posts: 567
You could look into RITE....
IP Traffic Export [Cisco IOS and NX-OS Software] - Cisco Systems
May fit your needs, hang a capture box off an available port. -
Options
veritas_libertas
Member Posts: 5,746 ■■■■■■■■■■
-
Optionstiersten
Member Posts: 4,505
No. Whoever wrote that is an idiot and didn't actually use or even test it. That instructable will screw up your connection and even if it did work, it'd only give you one direction only. Its got all 3 sockets wired in parallel and you'll have the monitoring device trying to transmit on the same pairs as one of the tapped devices.veritas_libertas wrote: »
If you want to make a passive network tap then do it like this. You'll need two ethernet interfaces on the monitoring device to monitor both directions. If you only care about one direction then you can omit one of the middle sockets and use only one monitoring port. -
Optionsveritas_libertas
Member Posts: 5,746 ■■■■■■■■■■
No. Whoever wrote that is an idiot and didn't actually use or even test it. That instructable will screw up your connection and even if it did work, it'd only give you one direction only. Its got all 3 sockets wired in parallel and you'll have the monitoring device trying to transmit on the same pairs as one of the tapped devices.
If you want to make a passive network tap then do it like this. You'll need two ethernet interfaces on the monitoring device to monitor both directions. If you only care about one direction then you can omit one of the middle sockets and use only one monitoring port.
Thanks Tiersten. -
Options
AlanJames
Member Posts: 230
I'm actually heading to a client site tomorrow to do some traffic analysis, they have the worst network in the world. A dlink is their core switch - lol
But it supports port mirroring, So I've configured up NTOP (awesome tool, check it out) on ubuntu -
Optionsveritas_libertas
Member Posts: 5,746 ■■■■■■■■■■
This NTOP is incredible!
Thanks a lot, you just distracted me from my CCNA studies!
-
Optionstiersten
Member Posts: 4,505
If you don't care about the actual payload but only care about what is being sent/received then use NetFlow. If its a very high throughput link then be careful that you don't bring the router to its knees by turning on full NetFlow. You may need to use sampling instead.
NTop can act as a NetFlow Collector if you wish. -
Options
logicmyfoot
Member Posts: 82 ■■□□□□□□□□
Get a managed switch that supports SPAN. The other way is to overflow the MAC table in the switch so it goes into failure mode and turns into a hub but thats not a good idea to do on a production network.
SPAN is what i would recommend. Attacking your switch dosent makes sense and if port-security or mac-spoofing protection is there then it wont be of any use -
Optionsnetworker050184
Mod Posts: 11,962 Mod
So, I guess you don't get sarcasm....An expert is a man who has made all the mistakes which can be made.
