Link to home
Start Free TrialLog in
Avatar of swbruce21
swbruce21

asked on

Monitor all traffic from inside lan to internet - how to get in the path

What is the best way to get a computer-hosted network monitor in the path from the lan to the internet on a switched nework ?  This is for the purpose of discovering unwanted outbound traffic from internal infected computers, or diagnosing protocol specific failures when when communicating with specific internet resources.  I have been configuring a portable Server 2003 / ISA Server with Microsoft's Network Monitor as a temporary replacement for the normal NAT/Firewall device in order get in the path.  It works fine, but is time consuming  to set up when several inbound access-list mappings have to be maintained when using the temporary diagnostic router.  It also breaks network connectivity during the transition from the permanent NAT device to the diagnostic NAT server.
Avatar of fixnix
fixnix
Not sure how large your network is or your router configuration, but if small enough and the router is either one port or you can do some cable rearranging to only use one port,  you could just insert a cheap hub between the main router and first switch of the switch bank, then plug one other computer into the hub (or perhaps move a designated workstation from the switch to the new hub, thereby still using it as normal then adding sniffer duties to it...depending on if that's possible with your current network setup) and run a sniffer on it like ethereal (www.ethereal.com) or another packet monitoring program of choice.
Avatar of fixnix
fixnix
If you did that with a spare box, and you had for example a T1 for your internet connection, there wouldn't be any noticable performance degradation, even with a 10Base-T hub (tho use a full duplex one if the router is full duplex)...the traffic going through that point in the network wouldn't go any faster than the 1.544mbit T1 could spew out, there's no additional routing,  and the sniffing is passive, so there's no collisions or extra hops that would defeat the purpose of the switched network downstream.
Avatar of swbruce21
swbruce21

ASKER

This is something that I do for short intervals troublehshooting the network of small business clients. I tried the hub approach but since the ethernet frames are addressed to the firewall, the adaptor on my sniffing computer rejects them.  I know there is a solution to that, but I don't know the specifics of what it is.  Thanks
ASKER CERTIFIED SOLUTION
Avatar of fixnix
fixnix
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial