How to setup my system for packet sniffing
I would like to identify if any computers in my work system are sending or transmitting large amounts of data (possible because of a virus...)
I have a T1 connected to an Airport Extreme Router, which in turns runs to our server, and our two primary switches (not managed), lead to all our client computers.
How can I setup this system to test if this is the case?
It would seem I should take the cables running from the two switches into the back of the router, and insert a 5 point (2 in, 2 out, 1 sniffer) hub across them. Then connect a computer with a packet sniffer to them
Then I would setup the network card on that computer to promiscuous mode and use the software to check it out.
Does that seem like the best option?
Also, what program will be user friendly (for a non IT person in my company on a MAC) to view this data. They simply want to see activity level listed by internal IP to identify where it might be coming from. Some of the more complex programs might not be the best solution.
THANKS!
I have a T1 connected to an Airport Extreme Router, which in turns runs to our server, and our two primary switches (not managed), lead to all our client computers.
How can I setup this system to test if this is the case?
It would seem I should take the cables running from the two switches into the back of the router, and insert a 5 point (2 in, 2 out, 1 sniffer) hub across them. Then connect a computer with a packet sniffer to them
Then I would setup the network card on that computer to promiscuous mode and use the software to check it out.
Does that seem like the best option?
Also, what program will be user friendly (for a non IT person in my company on a MAC) to view this data. They simply want to see activity level listed by internal IP to identify where it might be coming from. Some of the more complex programs might not be the best solution.
THANKS!
Comments
-
rsutton
Member Posts: 1,029 ■■■■■□□□□□
Does any of your networking equipment have the abiliy to mirror a port? Just plug a PC in to the mirrored port, fire up Wireshark and look at the TCP statistics to see your top bandwidth users. -
docrice
Member Posts: 1,706 ■■■■■■■■■■
Assuming you don't have a managed switch which offers the option of configuring a SPAN / mirror port, you can use a hub (or tap) in-line between the router and the rest of your network. You can run Wireshark on OS X and use a capture and / or display filter to see specific traffic. Optionally, you can use tcpdump, which is a less complex sniffer (but lacks the GUI and doesn't do app-layer decodes very well). Either way, you'll need to sudo the process on OS X.
For a display filter, you can use something like:
ip.addr==10.1.1.17
to see traffic for a particular address if you want to narrow things down more.
Then use the Statistics menu and choose one of the options to see the results in various ways. You can also do a File - Export and output is as a CSV or whatever. The Statistics - IO Graph function will allow you to save traffic graphs as an image file.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
westward
Member Posts: 77 ■■□□□□□□□□
Cool, as I thought. Thanks!
I also grabbed a program called "Airport Traffic" to see the basic input and output KB/Sec to watch more casually.
Thanks guys! -
powerfool
Member Posts: 1,666 ■■■■■■■■□□
The hub is a good option. In addition, you could run a program like Cain & Abel which will do a CAM table overflow on the switch making it operate like a hub while the CAM table overflow is occurring; this option will likely degrade network performance for that period, though.
A capture will be good to do though, you can also use IDS features to detect what is happening, if you wish, beyond just identifying systems that are sending large amounts of traffic.2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro