Monitor all traffic from inside lan to internet - how to get in the path

Posted on 2005-04-14
Last Modified: 2010-03-18
What is the best way to get a computer-hosted network monitor in the path from the lan to the internet on a switched nework ?  This is for the purpose of discovering unwanted outbound traffic from internal infected computers, or diagnosing protocol specific failures when when communicating with specific internet resources.  I have been configuring a portable Server 2003 / ISA Server with Microsoft's Network Monitor as a temporary replacement for the normal NAT/Firewall device in order get in the path.  It works fine, but is time consuming  to set up when several inbound access-list mappings have to be maintained when using the temporary diagnostic router.  It also breaks network connectivity during the transition from the permanent NAT device to the diagnostic NAT server.
Question by:swbruce21
    LVL 9

    Expert Comment

    Not sure how large your network is or your router configuration, but if small enough and the router is either one port or you can do some cable rearranging to only use one port,  you could just insert a cheap hub between the main router and first switch of the switch bank, then plug one other computer into the hub (or perhaps move a designated workstation from the switch to the new hub, thereby still using it as normal then adding sniffer duties to it...depending on if that's possible with your current network setup) and run a sniffer on it like ethereal ( or another packet monitoring program of choice.
    LVL 9

    Expert Comment

    If you did that with a spare box, and you had for example a T1 for your internet connection, there wouldn't be any noticable performance degradation, even with a 10Base-T hub (tho use a full duplex one if the router is full duplex)...the traffic going through that point in the network wouldn't go any faster than the 1.544mbit T1 could spew out, there's no additional routing,  and the sniffing is passive, so there's no collisions or extra hops that would defeat the purpose of the switched network downstream.

    Author Comment

    This is something that I do for short intervals troublehshooting the network of small business clients. I tried the hub approach but since the ethernet frames are addressed to the firewall, the adaptor on my sniffing computer rejects them.  I know there is a solution to that, but I don't know the specifics of what it is.  Thanks
    LVL 9

    Accepted Solution

    If you set the sniffing box to set the network card to "promiscuous mode" then it will sniff the packets going to the router/firewall

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
    Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now