Solved

Ethereal: Finding what type of traffic is generated from a host

Posted on 2004-09-19
7
414 Views
Last Modified: 2010-04-10
Hi guys,
Id love some ETHEREAL GURUS out there to share their expertise here.

Ok, I have a problem.

I have a host that uses a tax application....When they run the program, they send information to the tax office, and they receive information. I would like to find out if this is http traffic or FTP traffic.
How can I set up ethereal on my machine, and capture the traffic that is coming/going from that machine running the tax program?

Any help greatly appreciated.

Simon
0
Comment
Question by:Simon336697
7 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 100 total points
ID: 12095652
Well, that sort of depends. Are you connecting to the network at a switch? Switches make sniffing difficult. Unless you run Ethereal on that host, you may not be able to capture the traffic. You would have to create a mirror (Cisco calls it SPAN) port on the switch and plug the Ethereal host into that port.

Either way, just launch Ethereal, choose the appropriate network connection, and start capturing. Use the application on the other workstation and you may be able to capture the information that you want.
Once you stop capture, the display will have multiple columns. Click on any column heading to sort by that column. The Protocol column will tell you if it is FTP or HTTP or TCP (other than FTP or HTTP)..
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12095871
hmmmm...
You will have to do some arraingements in your switching system to aloow you diagnose the other clients traffic; that is unless the client is broadcusting...

Afterwards, use etherreal in the following manner:
You may use Filters to initiate IP packets tapping... I'll try to locate a good report for you...

Cyber
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12095873
sorry Irmoore... didnt reloaded....

Cyber
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 15

Assisted Solution

by:Cyber-Dude
Cyber-Dude earned 120 total points
ID: 12095900
There you have it; search for the 'capture' terminology...
http://www.ethereal.com/docs/user-guide/

Cyber
0
 
LVL 2

Accepted Solution

by:
smconsult earned 200 total points
ID: 12096135
Regarding the switch, and capturing traffic...

As both Cyber-Dude and lrmoore indicated, sniffing across a switch is not as easy as hooking up a PC with Ethereal (or whatever your favorite sniffer happens to be),  starting the program, and capturing packets.  Switches, by design, forward a packet only to the port that the packet is destined for.  This is unlike a hub, which sends packets to every port, regardless of the destination.

So you're left with two choices.  If you have a smart switch that allows you to span (as alluded to by lrmoore), you could put the switch into a spanning mode, hook your PC up to the spanned port, and then run Ethereal.  Look for the packets coming from the PC that you're sniffing, and see what kind of protocol you're capturing.

If your switch is not of the smart variety, or if you don't want to get into spanning, find an old 5-port hub.  (If I'm going into a situation where I need to do a quick sniffing job, this is how I do it.)  You'd connect the PC you're sniffing to one port on the hub, your PC (with Ethereal) on a second port, and then connect the hub to your switch.  This way, your PC will be able to see the traffic coming into and out of the tax program PC.

I keep a small Linksys 5-port hub in a "go kit", complete with a straight through and crossover cable, ready to go for just such an operation.  Keeps me from having to hunt these things down when I need to do this type of operation.  It might not be as elegant as the spanning process (again, if you even have that available), but it works well, and you get the results your looking for.

Hope this helps!

Sean
0
 
LVL 5

Assisted Solution

by:netspec01
netspec01 earned 80 total points
ID: 12096385
- This traffic is probably being stopped at the firewall and the firewall logging or tcpdump here would actually be the best place to troubleshoot this application.  This is where I would start.

- To get around the switch port span issue you could run Ethereal on the same PC that is running the application.

- Or if this is a UNIX host you could also fire up tcpdump and capture traffic on the interface where the traffic is destined.  This also bypasses the SPAN issue.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 12097602
Thanks so much to everyone who responded....really appreciate it.

Simon
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now