Solved

Network Sniff

Posted on 2006-07-20
9
244 Views
Last Modified: 2013-12-07
It's been a while since I've done this so forgive me if I don't really know the question I'm trying to ask...

I need to check my network topology and make sure we don't have any rogue hubs running that might be allowing routing loops or causing other switching issues.  What should I look for in my packet capture to show me if we are having problems with looping or other such issues?
0
Comment
Question by:Planoite
9 Comments
 
LVL 5

Expert Comment

by:shniz123
ID: 17150569
Well this is a really broad question. Are you experiencing looping and switching problems? It could be something rogue or something incorrectly setup. Can you offer more detail?

0
 
LVL 1

Author Comment

by:Planoite
ID: 17150585
Not really.  Basically what I want to do is get a sampling of the network traffic and I was wondering if anyone could point out any traffic patterns to be aware of.  It's been a while since I've read a sniffer trace and I can't remember the things that I used to look for.  

I see you are new here.  Welcome to EE!
0
 
LVL 4

Expert Comment

by:xcromx
ID: 17150629
You really need to pin point what traffic you want to sniff...
If you just put a sniff up and leave it running you will be looking thru millions of packets and exactly you dont know what to look for...I would not either...

What kind of network devices you have...Anything that is managable ? You can connect to the device and see if you are having any packet errors or collisions...

Packet collisions are usually cause by if one device is set to full and one device is set to half...(duplex)

what issues are you having ?
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17150786
Planoite >  see you are new here.  Welcome to EE!

Nice catch. Welcome, shniz123!

> rogue hubs running that might be allowing routing loops
> any traffic patterns to be aware of.

I like KISSes. Sniffing is a drag, unless you got good ideas about what to look for, and probably you feel same way.

Why not try another angle, at a higher level, run some TraceRoutes. You might want to get some separate packages that enable that kind of thing to be used in different ways.

For one, you can better identify the router(s) closer to user. For another, a looping should get you quickly up to error detections of 'too many hops'. In the meantime, you can leverage the information gathered about current times between hops that can better identify some other problems of misconfiguration (to duplex, or not to duplex?) or NICs (or ports) starting to go bad.

Sniffing, to me, is better left as a tool for zooming in on a problem, rather than for vague snooping or fishing. There's just too many bits on the wire, filtering is critical, but one also ought not filter out that essential.          - my 2 cents
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 11

Expert Comment

by:grsteed
ID: 17150990
One thing you could monitor for is ICMP messages.  They are used to report a lot of problem conditions as detailed at this link.

http://www.samspublishing.com/articles/article.asp?p=26557&seqNum=5&rl=1

Cheers,
Gary
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17151053
If you are stuck with a sniffer and in need of something (more) to do with it, you can also try to look for a hole that a rogue or bad router could create.

For example, you have a single subnet. Used only by people (or rather, their equipment). So traffic for other subnets do not belong on your wire. KISSing it, filter out all of your own stuff first. Then see what is left (anything?), and figure out what kind of damage that means later on, after you get it and it (information) takes a form for interpretation
0
 
LVL 5

Expert Comment

by:shniz123
ID: 17158358
Thanks for the welcome guys.

 I was thinking...... why not create your own rogue device and audit your sniffer then to see what's not normal. I think you need an IDS solution and not just a sniffer program to really provide the value of detection and prevention. I've only used a sniffer to sniff out the actual packets I'm expecting to be there. Does that make sense?? After seeing something I find suspicous I might use a sniffer to actually "zoom in", as previously mentioned, and see what is going on.

I can offer some advice on what are good security products if need be. My security guy wears a tin foil hat to work, he'll have all the answers.   :)
0
 
LVL 24

Accepted Solution

by:
SunBow earned 500 total points
ID: 17158514
I typically don't care for IDS. The putting up of own rogue sounds nice, except we're talking about routing, and any messing with that in a productive environment can get real messy in a messy way. For example, tables need to be maintained and moved around, and those things take time to both move and to stabilize. Better off doing something like that off-net, build own LANs in a Lab. Still the trouble of the LabRats plugging in though desire or by mistake, while potentially that is among the situations being looked at for potential detection.

Someone could also be mseeing with a notebook or laptop, where they try to load up mutliple OS, including server, then try to run them at home and at work, possibly trying to use both a dialup and Corporate LAN at the same time. Not nice, so we try to not allow the work phones to permit computer use. It can depend on who is in how much control. Corpo VIPs are biggest abusers, and the more difficult to argue with.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 17761295
Closed.
            I hope it all worked out for you.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now