Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Network Sniff

Posted on 2006-07-20
Medium Priority
Last Modified: 2013-12-07
It's been a while since I've done this so forgive me if I don't really know the question I'm trying to ask...

I need to check my network topology and make sure we don't have any rogue hubs running that might be allowing routing loops or causing other switching issues.  What should I look for in my packet capture to show me if we are having problems with looping or other such issues?
Question by:Planoite
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 17150569
Well this is a really broad question. Are you experiencing looping and switching problems? It could be something rogue or something incorrectly setup. Can you offer more detail?


Author Comment

ID: 17150585
Not really.  Basically what I want to do is get a sampling of the network traffic and I was wondering if anyone could point out any traffic patterns to be aware of.  It's been a while since I've read a sniffer trace and I can't remember the things that I used to look for.  

I see you are new here.  Welcome to EE!

Expert Comment

ID: 17150629
You really need to pin point what traffic you want to sniff...
If you just put a sniff up and leave it running you will be looking thru millions of packets and exactly you dont know what to look for...I would not either...

What kind of network devices you have...Anything that is managable ? You can connect to the device and see if you are having any packet errors or collisions...

Packet collisions are usually cause by if one device is set to full and one device is set to half...(duplex)

what issues are you having ?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 24

Expert Comment

ID: 17150786
Planoite >  see you are new here.  Welcome to EE!

Nice catch. Welcome, shniz123!

> rogue hubs running that might be allowing routing loops
> any traffic patterns to be aware of.

I like KISSes. Sniffing is a drag, unless you got good ideas about what to look for, and probably you feel same way.

Why not try another angle, at a higher level, run some TraceRoutes. You might want to get some separate packages that enable that kind of thing to be used in different ways.

For one, you can better identify the router(s) closer to user. For another, a looping should get you quickly up to error detections of 'too many hops'. In the meantime, you can leverage the information gathered about current times between hops that can better identify some other problems of misconfiguration (to duplex, or not to duplex?) or NICs (or ports) starting to go bad.

Sniffing, to me, is better left as a tool for zooming in on a problem, rather than for vague snooping or fishing. There's just too many bits on the wire, filtering is critical, but one also ought not filter out that essential.          - my 2 cents
LVL 11

Expert Comment

ID: 17150990
One thing you could monitor for is ICMP messages.  They are used to report a lot of problem conditions as detailed at this link.


LVL 24

Expert Comment

ID: 17151053
If you are stuck with a sniffer and in need of something (more) to do with it, you can also try to look for a hole that a rogue or bad router could create.

For example, you have a single subnet. Used only by people (or rather, their equipment). So traffic for other subnets do not belong on your wire. KISSing it, filter out all of your own stuff first. Then see what is left (anything?), and figure out what kind of damage that means later on, after you get it and it (information) takes a form for interpretation

Expert Comment

ID: 17158358
Thanks for the welcome guys.

 I was thinking...... why not create your own rogue device and audit your sniffer then to see what's not normal. I think you need an IDS solution and not just a sniffer program to really provide the value of detection and prevention. I've only used a sniffer to sniff out the actual packets I'm expecting to be there. Does that make sense?? After seeing something I find suspicous I might use a sniffer to actually "zoom in", as previously mentioned, and see what is going on.

I can offer some advice on what are good security products if need be. My security guy wears a tin foil hat to work, he'll have all the answers.   :)
LVL 24

Accepted Solution

SunBow earned 2000 total points
ID: 17158514
I typically don't care for IDS. The putting up of own rogue sounds nice, except we're talking about routing, and any messing with that in a productive environment can get real messy in a messy way. For example, tables need to be maintained and moved around, and those things take time to both move and to stabilize. Better off doing something like that off-net, build own LANs in a Lab. Still the trouble of the LabRats plugging in though desire or by mistake, while potentially that is among the situations being looked at for potential detection.

Someone could also be mseeing with a notebook or laptop, where they try to load up mutliple OS, including server, then try to run them at home and at work, possibly trying to use both a dialup and Corporate LAN at the same time. Not nice, so we try to not allow the work phones to permit computer use. It can depend on who is in how much control. Corpo VIPs are biggest abusers, and the more difficult to argue with.
LVL 24

Expert Comment

ID: 17761295
            I hope it all worked out for you.

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this article, we’ll look at how to deploy ProxySQL.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question