[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

Network Sniff

It's been a while since I've done this so forgive me if I don't really know the question I'm trying to ask...

I need to check my network topology and make sure we don't have any rogue hubs running that might be allowing routing loops or causing other switching issues.  What should I look for in my packet capture to show me if we are having problems with looping or other such issues?
1 Solution
Well this is a really broad question. Are you experiencing looping and switching problems? It could be something rogue or something incorrectly setup. Can you offer more detail?

PlanoiteAuthor Commented:
Not really.  Basically what I want to do is get a sampling of the network traffic and I was wondering if anyone could point out any traffic patterns to be aware of.  It's been a while since I've read a sniffer trace and I can't remember the things that I used to look for.  

I see you are new here.  Welcome to EE!
You really need to pin point what traffic you want to sniff...
If you just put a sniff up and leave it running you will be looking thru millions of packets and exactly you dont know what to look for...I would not either...

What kind of network devices you have...Anything that is managable ? You can connect to the device and see if you are having any packet errors or collisions...

Packet collisions are usually cause by if one device is set to full and one device is set to half...(duplex)

what issues are you having ?
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Planoite >  see you are new here.  Welcome to EE!

Nice catch. Welcome, shniz123!

> rogue hubs running that might be allowing routing loops
> any traffic patterns to be aware of.

I like KISSes. Sniffing is a drag, unless you got good ideas about what to look for, and probably you feel same way.

Why not try another angle, at a higher level, run some TraceRoutes. You might want to get some separate packages that enable that kind of thing to be used in different ways.

For one, you can better identify the router(s) closer to user. For another, a looping should get you quickly up to error detections of 'too many hops'. In the meantime, you can leverage the information gathered about current times between hops that can better identify some other problems of misconfiguration (to duplex, or not to duplex?) or NICs (or ports) starting to go bad.

Sniffing, to me, is better left as a tool for zooming in on a problem, rather than for vague snooping or fishing. There's just too many bits on the wire, filtering is critical, but one also ought not filter out that essential.          - my 2 cents
One thing you could monitor for is ICMP messages.  They are used to report a lot of problem conditions as detailed at this link.


If you are stuck with a sniffer and in need of something (more) to do with it, you can also try to look for a hole that a rogue or bad router could create.

For example, you have a single subnet. Used only by people (or rather, their equipment). So traffic for other subnets do not belong on your wire. KISSing it, filter out all of your own stuff first. Then see what is left (anything?), and figure out what kind of damage that means later on, after you get it and it (information) takes a form for interpretation
Thanks for the welcome guys.

 I was thinking...... why not create your own rogue device and audit your sniffer then to see what's not normal. I think you need an IDS solution and not just a sniffer program to really provide the value of detection and prevention. I've only used a sniffer to sniff out the actual packets I'm expecting to be there. Does that make sense?? After seeing something I find suspicous I might use a sniffer to actually "zoom in", as previously mentioned, and see what is going on.

I can offer some advice on what are good security products if need be. My security guy wears a tin foil hat to work, he'll have all the answers.   :)
I typically don't care for IDS. The putting up of own rogue sounds nice, except we're talking about routing, and any messing with that in a productive environment can get real messy in a messy way. For example, tables need to be maintained and moved around, and those things take time to both move and to stabilize. Better off doing something like that off-net, build own LANs in a Lab. Still the trouble of the LabRats plugging in though desire or by mistake, while potentially that is among the situations being looked at for potential detection.

Someone could also be mseeing with a notebook or laptop, where they try to load up mutliple OS, including server, then try to run them at home and at work, possibly trying to use both a dialup and Corporate LAN at the same time. Not nice, so we try to not allow the work phones to permit computer use. It can depend on who is in how much control. Corpo VIPs are biggest abusers, and the more difficult to argue with.
            I hope it all worked out for you.

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now