?
Solved

Network Sniff

Posted on 2006-07-20
9
Medium Priority
?
275 Views
Last Modified: 2013-12-07
It's been a while since I've done this so forgive me if I don't really know the question I'm trying to ask...

I need to check my network topology and make sure we don't have any rogue hubs running that might be allowing routing loops or causing other switching issues.  What should I look for in my packet capture to show me if we are having problems with looping or other such issues?
0
Comment
Question by:Planoite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 5

Expert Comment

by:shniz123
ID: 17150569
Well this is a really broad question. Are you experiencing looping and switching problems? It could be something rogue or something incorrectly setup. Can you offer more detail?

0
 
LVL 1

Author Comment

by:Planoite
ID: 17150585
Not really.  Basically what I want to do is get a sampling of the network traffic and I was wondering if anyone could point out any traffic patterns to be aware of.  It's been a while since I've read a sniffer trace and I can't remember the things that I used to look for.  

I see you are new here.  Welcome to EE!
0
 
LVL 4

Expert Comment

by:xcromx
ID: 17150629
You really need to pin point what traffic you want to sniff...
If you just put a sniff up and leave it running you will be looking thru millions of packets and exactly you dont know what to look for...I would not either...

What kind of network devices you have...Anything that is managable ? You can connect to the device and see if you are having any packet errors or collisions...

Packet collisions are usually cause by if one device is set to full and one device is set to half...(duplex)

what issues are you having ?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 24

Expert Comment

by:SunBow
ID: 17150786
Planoite >  see you are new here.  Welcome to EE!

Nice catch. Welcome, shniz123!

> rogue hubs running that might be allowing routing loops
> any traffic patterns to be aware of.

I like KISSes. Sniffing is a drag, unless you got good ideas about what to look for, and probably you feel same way.

Why not try another angle, at a higher level, run some TraceRoutes. You might want to get some separate packages that enable that kind of thing to be used in different ways.

For one, you can better identify the router(s) closer to user. For another, a looping should get you quickly up to error detections of 'too many hops'. In the meantime, you can leverage the information gathered about current times between hops that can better identify some other problems of misconfiguration (to duplex, or not to duplex?) or NICs (or ports) starting to go bad.

Sniffing, to me, is better left as a tool for zooming in on a problem, rather than for vague snooping or fishing. There's just too many bits on the wire, filtering is critical, but one also ought not filter out that essential.          - my 2 cents
0
 
LVL 11

Expert Comment

by:grsteed
ID: 17150990
One thing you could monitor for is ICMP messages.  They are used to report a lot of problem conditions as detailed at this link.

http://www.samspublishing.com/articles/article.asp?p=26557&seqNum=5&rl=1

Cheers,
Gary
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17151053
If you are stuck with a sniffer and in need of something (more) to do with it, you can also try to look for a hole that a rogue or bad router could create.

For example, you have a single subnet. Used only by people (or rather, their equipment). So traffic for other subnets do not belong on your wire. KISSing it, filter out all of your own stuff first. Then see what is left (anything?), and figure out what kind of damage that means later on, after you get it and it (information) takes a form for interpretation
0
 
LVL 5

Expert Comment

by:shniz123
ID: 17158358
Thanks for the welcome guys.

 I was thinking...... why not create your own rogue device and audit your sniffer then to see what's not normal. I think you need an IDS solution and not just a sniffer program to really provide the value of detection and prevention. I've only used a sniffer to sniff out the actual packets I'm expecting to be there. Does that make sense?? After seeing something I find suspicous I might use a sniffer to actually "zoom in", as previously mentioned, and see what is going on.

I can offer some advice on what are good security products if need be. My security guy wears a tin foil hat to work, he'll have all the answers.   :)
0
 
LVL 24

Accepted Solution

by:
SunBow earned 2000 total points
ID: 17158514
I typically don't care for IDS. The putting up of own rogue sounds nice, except we're talking about routing, and any messing with that in a productive environment can get real messy in a messy way. For example, tables need to be maintained and moved around, and those things take time to both move and to stabilize. Better off doing something like that off-net, build own LANs in a Lab. Still the trouble of the LabRats plugging in though desire or by mistake, while potentially that is among the situations being looked at for potential detection.

Someone could also be mseeing with a notebook or laptop, where they try to load up mutliple OS, including server, then try to run them at home and at work, possibly trying to use both a dialup and Corporate LAN at the same time. Not nice, so we try to not allow the work phones to permit computer use. It can depend on who is in how much control. Corpo VIPs are biggest abusers, and the more difficult to argue with.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17761295
Closed.
            I hope it all worked out for you.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question