Ethereal Question

Posted on 2006-05-02
Last Modified: 2010-03-19
I want to use ethereal to monitor network traffic.  Where should I install this.  I want to monitor all traffic not just my NIC.  I ran it on my PC and only showed traffic from my nic.  Any ideas or better programs.
Question by:mkurtzhals
    LVL 15

    Accepted Solution

    Greetings mkurtzhals,

    You need to pass your traffic to a PC that will be considered as a gateway for your network with Dual NIC and then install it there.

    Good Luck!

    LVL 4

    Assisted Solution

    Well, many network switches will have a 'port mirror' function, or 'span port' function...
    That is where all switch traffic is mirrored to a specified port on the switch...
    You would have to enable this, and then you can snoop on everyone's traffic when plugged into the specified port.

    Another option is to use a small 4 port hub, place the hub upstream of the switch (between the switch and your router/firewall).
    Then, take your pc and plug it into the hub.
    This option you will only see traffic that leaves the switch (you will NOT see traffic between the computers on the same switch)
    LVL 5

    Assisted Solution

    Make sure Ethereal starts in 'promiscuous mode' - it should do that by default, unless some setting was changed.

    Then, if your network is on a switch, as 'uberpoop' said, check if you switch has the ability to replicate all traffic on all ports to a single port. Check the documentation for the switch to see if this is possible and how.
    Then, plug your analyzer into that single port to sniff all traffic... on that switch.

    And BTW, most routers/firewalls, and even some hubs these days, actually do 'switching', so it is safe to say that if you are on a larger, serious corporate network, you may not be able to sniff everything from the same place.  Unless you know what you are looking for...

    LVL 18

    Assisted Solution

    by:Sam Panwar

    You have to make sure that you configure a switchport  as a span port(monitor port) .  Otherwise you only see broadcast traffic.  In a hubbed environment you don't need a span port as a hub transfers its traffic to all its ports.

    Download It's Latest Version from :-

    It's User's Guides are available here :-
    1.                 (IT'S A STEP BY STEP GUIDE)
    LVL 27

    Assisted Solution

    >>I want to monitor all traffic not just my NIC

    Since no one else has said it, this is impracticle if not impossible.  How big is your network?  You would only be able to monitor "all" traffic only on a very small network if you have the right kind of switch (mentioned above) or a hub.

    If you want to monitor all INTERNET traffic to and from your network, then you would sniff the connection from your router - behind it if you want to see the inside IP addresses - on the outside if you want to see inbound attack traffic (like a Firewall).

    If your network is more than a few hosts - and lets say you have the ability to span/mirror all their ports over to one port - you could quickly overwhelm the one port and you would start dropping traffic and not getting it in the sniff.

    Ethereal is only practicle monitoring one connection - or possibly a many to many through a single pipe - such as between the router and your network.  

    What exactly is the goal and perhaps we could recommend a better solution?
    LVL 17

    Assisted Solution

    >> Make sure Ethereal starts in 'promiscuous mode' - it should do that by default, unless some setting was changed.

    As mentioned, this is the first thing you should check. But also, you do have to check if you're on a monitor port on a switch. If not, you're not going to be able to see everything the way you'd like to.

    psuedo's point on overloading a port is also a good one, so as mentioned, clarify the size of your network and whatnot.

    You do have devices such as Packeteer boxes, which are costly, but can do the job AND support packet shaping.
    LVL 15

    Expert Comment

    by:Naser Gabaj
    Hi mkurtzhals,

    It's long time since you asked the Q. Are you still working on this? Was the information provided helpful? Do you need more information?

    If any of the above answers gave you the solution, please accept his/her answer with the appropriate grade you see.

    Please let us know, we appreciate your reply.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Let’s list some of the technologies that enable smooth teleworking. 
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now