[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 425
  • Last Modified:

Ethereal: Finding what type of traffic is generated from a host

Hi guys,
Id love some ETHEREAL GURUS out there to share their expertise here.

Ok, I have a problem.

I have a host that uses a tax application....When they run the program, they send information to the tax office, and they receive information. I would like to find out if this is http traffic or FTP traffic.
How can I set up ethereal on my machine, and capture the traffic that is coming/going from that machine running the tax program?

Any help greatly appreciated.

Simon
0
Simon336697
Asked:
Simon336697
4 Solutions
 
lrmooreCommented:
Well, that sort of depends. Are you connecting to the network at a switch? Switches make sniffing difficult. Unless you run Ethereal on that host, you may not be able to capture the traffic. You would have to create a mirror (Cisco calls it SPAN) port on the switch and plug the Ethereal host into that port.

Either way, just launch Ethereal, choose the appropriate network connection, and start capturing. Use the application on the other workstation and you may be able to capture the information that you want.
Once you stop capture, the display will have multiple columns. Click on any column heading to sort by that column. The Protocol column will tell you if it is FTP or HTTP or TCP (other than FTP or HTTP)..
0
 
Cyber-DudeCommented:
hmmmm...
You will have to do some arraingements in your switching system to aloow you diagnose the other clients traffic; that is unless the client is broadcusting...

Afterwards, use etherreal in the following manner:
You may use Filters to initiate IP packets tapping... I'll try to locate a good report for you...

Cyber
0
 
Cyber-DudeCommented:
sorry Irmoore... didnt reloaded....

Cyber
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Cyber-DudeCommented:
There you have it; search for the 'capture' terminology...
http://www.ethereal.com/docs/user-guide/

Cyber
0
 
smconsultCommented:
Regarding the switch, and capturing traffic...

As both Cyber-Dude and lrmoore indicated, sniffing across a switch is not as easy as hooking up a PC with Ethereal (or whatever your favorite sniffer happens to be),  starting the program, and capturing packets.  Switches, by design, forward a packet only to the port that the packet is destined for.  This is unlike a hub, which sends packets to every port, regardless of the destination.

So you're left with two choices.  If you have a smart switch that allows you to span (as alluded to by lrmoore), you could put the switch into a spanning mode, hook your PC up to the spanned port, and then run Ethereal.  Look for the packets coming from the PC that you're sniffing, and see what kind of protocol you're capturing.

If your switch is not of the smart variety, or if you don't want to get into spanning, find an old 5-port hub.  (If I'm going into a situation where I need to do a quick sniffing job, this is how I do it.)  You'd connect the PC you're sniffing to one port on the hub, your PC (with Ethereal) on a second port, and then connect the hub to your switch.  This way, your PC will be able to see the traffic coming into and out of the tax program PC.

I keep a small Linksys 5-port hub in a "go kit", complete with a straight through and crossover cable, ready to go for just such an operation.  Keeps me from having to hunt these things down when I need to do this type of operation.  It might not be as elegant as the spanning process (again, if you even have that available), but it works well, and you get the results your looking for.

Hope this helps!

Sean
0
 
netspec01Commented:
- This traffic is probably being stopped at the firewall and the firewall logging or tcpdump here would actually be the best place to troubleshoot this application.  This is where I would start.

- To get around the switch port span issue you could run Ethereal on the same PC that is running the application.

- Or if this is a UNIX host you could also fire up tcpdump and capture traffic on the interface where the traffic is destined.  This also bypasses the SPAN issue.
0
 
Simon336697Author Commented:
Thanks so much to everyone who responded....really appreciate it.

Simon
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now