Ethereal: Finding what type of traffic is generated from a host

Hi guys,
Id love some ETHEREAL GURUS out there to share their expertise here.

Ok, I have a problem.

I have a host that uses a tax application....When they run the program, they send information to the tax office, and they receive information. I would like to find out if this is http traffic or FTP traffic.
How can I set up ethereal on my machine, and capture the traffic that is coming/going from that machine running the tax program?

Any help greatly appreciated.

Simon
LVL 1
Simon336697Asked:
Who is Participating?
 
smconsultConnect With a Mentor Commented:
Regarding the switch, and capturing traffic...

As both Cyber-Dude and lrmoore indicated, sniffing across a switch is not as easy as hooking up a PC with Ethereal (or whatever your favorite sniffer happens to be),  starting the program, and capturing packets.  Switches, by design, forward a packet only to the port that the packet is destined for.  This is unlike a hub, which sends packets to every port, regardless of the destination.

So you're left with two choices.  If you have a smart switch that allows you to span (as alluded to by lrmoore), you could put the switch into a spanning mode, hook your PC up to the spanned port, and then run Ethereal.  Look for the packets coming from the PC that you're sniffing, and see what kind of protocol you're capturing.

If your switch is not of the smart variety, or if you don't want to get into spanning, find an old 5-port hub.  (If I'm going into a situation where I need to do a quick sniffing job, this is how I do it.)  You'd connect the PC you're sniffing to one port on the hub, your PC (with Ethereal) on a second port, and then connect the hub to your switch.  This way, your PC will be able to see the traffic coming into and out of the tax program PC.

I keep a small Linksys 5-port hub in a "go kit", complete with a straight through and crossover cable, ready to go for just such an operation.  Keeps me from having to hunt these things down when I need to do this type of operation.  It might not be as elegant as the spanning process (again, if you even have that available), but it works well, and you get the results your looking for.

Hope this helps!

Sean
0
 
lrmooreConnect With a Mentor Commented:
Well, that sort of depends. Are you connecting to the network at a switch? Switches make sniffing difficult. Unless you run Ethereal on that host, you may not be able to capture the traffic. You would have to create a mirror (Cisco calls it SPAN) port on the switch and plug the Ethereal host into that port.

Either way, just launch Ethereal, choose the appropriate network connection, and start capturing. Use the application on the other workstation and you may be able to capture the information that you want.
Once you stop capture, the display will have multiple columns. Click on any column heading to sort by that column. The Protocol column will tell you if it is FTP or HTTP or TCP (other than FTP or HTTP)..
0
 
Cyber-DudeCommented:
hmmmm...
You will have to do some arraingements in your switching system to aloow you diagnose the other clients traffic; that is unless the client is broadcusting...

Afterwards, use etherreal in the following manner:
You may use Filters to initiate IP packets tapping... I'll try to locate a good report for you...

Cyber
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Cyber-DudeCommented:
sorry Irmoore... didnt reloaded....

Cyber
0
 
Cyber-DudeConnect With a Mentor Commented:
There you have it; search for the 'capture' terminology...
http://www.ethereal.com/docs/user-guide/

Cyber
0
 
netspec01Connect With a Mentor Commented:
- This traffic is probably being stopped at the firewall and the firewall logging or tcpdump here would actually be the best place to troubleshoot this application.  This is where I would start.

- To get around the switch port span issue you could run Ethereal on the same PC that is running the application.

- Or if this is a UNIX host you could also fire up tcpdump and capture traffic on the interface where the traffic is destined.  This also bypasses the SPAN issue.
0
 
Simon336697Author Commented:
Thanks so much to everyone who responded....really appreciate it.

Simon
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.