Solved

Ethereal: Finding what type of traffic is generated from a host

Posted on 2004-09-19
7
419 Views
Last Modified: 2010-04-10
Hi guys,
Id love some ETHEREAL GURUS out there to share their expertise here.

Ok, I have a problem.

I have a host that uses a tax application....When they run the program, they send information to the tax office, and they receive information. I would like to find out if this is http traffic or FTP traffic.
How can I set up ethereal on my machine, and capture the traffic that is coming/going from that machine running the tax program?

Any help greatly appreciated.

Simon
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 12095652
Well, that sort of depends. Are you connecting to the network at a switch? Switches make sniffing difficult. Unless you run Ethereal on that host, you may not be able to capture the traffic. You would have to create a mirror (Cisco calls it SPAN) port on the switch and plug the Ethereal host into that port.

Either way, just launch Ethereal, choose the appropriate network connection, and start capturing. Use the application on the other workstation and you may be able to capture the information that you want.
Once you stop capture, the display will have multiple columns. Click on any column heading to sort by that column. The Protocol column will tell you if it is FTP or HTTP or TCP (other than FTP or HTTP)..
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12095871
hmmmm...
You will have to do some arraingements in your switching system to aloow you diagnose the other clients traffic; that is unless the client is broadcusting...

Afterwards, use etherreal in the following manner:
You may use Filters to initiate IP packets tapping... I'll try to locate a good report for you...

Cyber
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12095873
sorry Irmoore... didnt reloaded....

Cyber
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 15

Assisted Solution

by:Cyber-Dude
Cyber-Dude earned 120 total points
ID: 12095900
There you have it; search for the 'capture' terminology...
http://www.ethereal.com/docs/user-guide/

Cyber
0
 
LVL 2

Accepted Solution

by:
smconsult earned 200 total points
ID: 12096135
Regarding the switch, and capturing traffic...

As both Cyber-Dude and lrmoore indicated, sniffing across a switch is not as easy as hooking up a PC with Ethereal (or whatever your favorite sniffer happens to be),  starting the program, and capturing packets.  Switches, by design, forward a packet only to the port that the packet is destined for.  This is unlike a hub, which sends packets to every port, regardless of the destination.

So you're left with two choices.  If you have a smart switch that allows you to span (as alluded to by lrmoore), you could put the switch into a spanning mode, hook your PC up to the spanned port, and then run Ethereal.  Look for the packets coming from the PC that you're sniffing, and see what kind of protocol you're capturing.

If your switch is not of the smart variety, or if you don't want to get into spanning, find an old 5-port hub.  (If I'm going into a situation where I need to do a quick sniffing job, this is how I do it.)  You'd connect the PC you're sniffing to one port on the hub, your PC (with Ethereal) on a second port, and then connect the hub to your switch.  This way, your PC will be able to see the traffic coming into and out of the tax program PC.

I keep a small Linksys 5-port hub in a "go kit", complete with a straight through and crossover cable, ready to go for just such an operation.  Keeps me from having to hunt these things down when I need to do this type of operation.  It might not be as elegant as the spanning process (again, if you even have that available), but it works well, and you get the results your looking for.

Hope this helps!

Sean
0
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 80 total points
ID: 12096385
- This traffic is probably being stopped at the firewall and the firewall logging or tcpdump here would actually be the best place to troubleshoot this application.  This is where I would start.

- To get around the switch port span issue you could run Ethereal on the same PC that is running the application.

- Or if this is a UNIX host you could also fire up tcpdump and capture traffic on the interface where the traffic is destined.  This also bypasses the SPAN issue.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 12097602
Thanks so much to everyone who responded....really appreciate it.

Simon
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question