[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 471
  • Last Modified:

Ethereal Question

I want to use ethereal to monitor network traffic.  Where should I install this.  I want to monitor all traffic not just my NIC.  I ran it on my PC and only showed traffic from my nic.  Any ideas or better programs.
6 Solutions
Naser GabajCommented:
Greetings mkurtzhals,

You need to pass your traffic to a PC that will be considered as a gateway for your network with Dual NIC and then install it there.

Good Luck!

Well, many network switches will have a 'port mirror' function, or 'span port' function...
That is where all switch traffic is mirrored to a specified port on the switch...
You would have to enable this, and then you can snoop on everyone's traffic when plugged into the specified port.

Another option is to use a small 4 port hub, place the hub upstream of the switch (between the switch and your router/firewall).
Then, take your pc and plug it into the hub.
This option you will only see traffic that leaves the switch (you will NOT see traffic between the computers on the same switch)
Make sure Ethereal starts in 'promiscuous mode' - it should do that by default, unless some setting was changed.

Then, if your network is on a switch, as 'uberpoop' said, check if you switch has the ability to replicate all traffic on all ports to a single port. Check the documentation for the switch to see if this is possible and how.
Then, plug your analyzer into that single port to sniff all traffic... on that switch.

And BTW, most routers/firewalls, and even some hubs these days, actually do 'switching', so it is safe to say that if you are on a larger, serious corporate network, you may not be able to sniff everything from the same place.  Unless you know what you are looking for...


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Sam PanwarSr. Server AdministratorCommented:

You have to make sure that you configure a switchport  as a span port(monitor port) .  Otherwise you only see broadcast traffic.  In a hubbed environment you don't need a span port as a hub transfers its traffic to all its ports.

Download It's Latest Version from :- http://www.ethereal.com:80/distribution/win32/ethereal-setup-0.10.14.exe

It's User's Guides are available here :-
1. http://www.portforward.com/networking/ethereal.htm                 (IT'S A STEP BY STEP GUIDE)
2. http://www.openxtra.co.uk/support/documentation/ethereal-getting-started-guide.pdf
3. http://www.ethereal.com/docs/eug_html_chunked/
4. http://www.ethereal.com/docs/user-guide/
5. http://www.advancedrelay.com/laygodoc/laygodlu/ethereal.htm
>>I want to monitor all traffic not just my NIC

Since no one else has said it, this is impracticle if not impossible.  How big is your network?  You would only be able to monitor "all" traffic only on a very small network if you have the right kind of switch (mentioned above) or a hub.

If you want to monitor all INTERNET traffic to and from your network, then you would sniff the connection from your router - behind it if you want to see the inside IP addresses - on the outside if you want to see inbound attack traffic (like a Firewall).

If your network is more than a few hosts - and lets say you have the ability to span/mirror all their ports over to one port - you could quickly overwhelm the one port and you would start dropping traffic and not getting it in the sniff.

Ethereal is only practicle monitoring one connection - or possibly a many to many through a single pipe - such as between the router and your network.  

What exactly is the goal and perhaps we could recommend a better solution?
>> Make sure Ethereal starts in 'promiscuous mode' - it should do that by default, unless some setting was changed.

As mentioned, this is the first thing you should check. But also, you do have to check if you're on a monitor port on a switch. If not, you're not going to be able to see everything the way you'd like to.

psuedo's point on overloading a port is also a good one, so as mentioned, clarify the size of your network and whatnot.

You do have devices such as Packeteer boxes, which are costly, but can do the job AND support packet shaping.
Naser GabajCommented:
Hi mkurtzhals,

It's long time since you asked the Q. Are you still working on this? Was the information provided helpful? Do you need more information?

If any of the above answers gave you the solution, please accept his/her answer with the appropriate grade you see.

Please let us know, we appreciate your reply.


Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now