?
Solved

Ethereal: Finding what type of traffic is generated from a host

Posted on 2004-09-19
7
Medium Priority
?
423 Views
Last Modified: 2010-04-10
Hi guys,
Id love some ETHEREAL GURUS out there to share their expertise here.

Ok, I have a problem.

I have a host that uses a tax application....When they run the program, they send information to the tax office, and they receive information. I would like to find out if this is http traffic or FTP traffic.
How can I set up ethereal on my machine, and capture the traffic that is coming/going from that machine running the tax program?

Any help greatly appreciated.

Simon
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 12095652
Well, that sort of depends. Are you connecting to the network at a switch? Switches make sniffing difficult. Unless you run Ethereal on that host, you may not be able to capture the traffic. You would have to create a mirror (Cisco calls it SPAN) port on the switch and plug the Ethereal host into that port.

Either way, just launch Ethereal, choose the appropriate network connection, and start capturing. Use the application on the other workstation and you may be able to capture the information that you want.
Once you stop capture, the display will have multiple columns. Click on any column heading to sort by that column. The Protocol column will tell you if it is FTP or HTTP or TCP (other than FTP or HTTP)..
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12095871
hmmmm...
You will have to do some arraingements in your switching system to aloow you diagnose the other clients traffic; that is unless the client is broadcusting...

Afterwards, use etherreal in the following manner:
You may use Filters to initiate IP packets tapping... I'll try to locate a good report for you...

Cyber
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12095873
sorry Irmoore... didnt reloaded....

Cyber
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 15

Assisted Solution

by:Cyber-Dude
Cyber-Dude earned 480 total points
ID: 12095900
There you have it; search for the 'capture' terminology...
http://www.ethereal.com/docs/user-guide/

Cyber
0
 
LVL 2

Accepted Solution

by:
smconsult earned 800 total points
ID: 12096135
Regarding the switch, and capturing traffic...

As both Cyber-Dude and lrmoore indicated, sniffing across a switch is not as easy as hooking up a PC with Ethereal (or whatever your favorite sniffer happens to be),  starting the program, and capturing packets.  Switches, by design, forward a packet only to the port that the packet is destined for.  This is unlike a hub, which sends packets to every port, regardless of the destination.

So you're left with two choices.  If you have a smart switch that allows you to span (as alluded to by lrmoore), you could put the switch into a spanning mode, hook your PC up to the spanned port, and then run Ethereal.  Look for the packets coming from the PC that you're sniffing, and see what kind of protocol you're capturing.

If your switch is not of the smart variety, or if you don't want to get into spanning, find an old 5-port hub.  (If I'm going into a situation where I need to do a quick sniffing job, this is how I do it.)  You'd connect the PC you're sniffing to one port on the hub, your PC (with Ethereal) on a second port, and then connect the hub to your switch.  This way, your PC will be able to see the traffic coming into and out of the tax program PC.

I keep a small Linksys 5-port hub in a "go kit", complete with a straight through and crossover cable, ready to go for just such an operation.  Keeps me from having to hunt these things down when I need to do this type of operation.  It might not be as elegant as the spanning process (again, if you even have that available), but it works well, and you get the results your looking for.

Hope this helps!

Sean
0
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 320 total points
ID: 12096385
- This traffic is probably being stopped at the firewall and the firewall logging or tcpdump here would actually be the best place to troubleshoot this application.  This is where I would start.

- To get around the switch port span issue you could run Ethereal on the same PC that is running the application.

- Or if this is a UNIX host you could also fire up tcpdump and capture traffic on the interface where the traffic is destined.  This also bypasses the SPAN issue.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 12097602
Thanks so much to everyone who responded....really appreciate it.

Simon
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Make the most of your online learning experience.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question