Solved

Sniffing and packet analyzer question

Posted on 2006-11-30
5
2,021 Views
Last Modified: 2013-12-07
I have a question regarding packet sniffing a particular host on a switched network.  i am using Ethereal (b/c it's free) and would like to gather and report on the traffic i collect.    

The host machine is running a specific, bandwidth-intesive application.  There are multiple hi-res images involved and streaming data.  The performance of this host has been suffering since installation, especially when compared to similar workstations installed throughout the organization.  but the vendor will not reload the app or rebuild the workstation until i run a sniffer.  

The switch that my sniffer laptop and target host are on is a cisco 3560.

my question is this:   How do i get around the switch's arp table and sniff the incoming/outgoing packets from the target host?  as you know, b/c of the switch's arp table, the traffic that is intended for the target host is going directly to it. and vice versa.  now i have read about arp-spoofing and arp-poisoning, but aren't those a little malicious for a simple network admin task?  is there maybe a setting on the cisco switch that i can change, or do i really need to run a seperate app to spoof my switch into sending my sniffer laptop data?  

any help or direction would be greatly appreciated!

thanks!
dt

 
0
Comment
Question by:dtocco
5 Comments
 
LVL 6

Expert Comment

by:ryandale56
ID: 18049862
I recommend you use the "span" feature of the cisco switch.  You can configure a port to mirror traffic that is going through the switch out one port.

http://www.cisco.com/warp/public/473/41.html
0
 
LVL 4

Expert Comment

by:Trilotech
ID: 18050381
I like ryandale56's suggestion.

If you do not want to do that you could always put a cheap hub between that computer and the switch and plug yourself into the hub as well it to sniff the traffic. Band-aid sniff, but should work!
0
 
LVL 1

Expert Comment

by:shamim316
ID: 18050783
You can enable NBAR (Network Based Application Recognition) on the switch interface. This would enable you to get an idea of what percentage of bandwidth is being used for what protocol. When the app is running check the nbar report and that will show the bandwidth utilization of the protocol the app is using.

Following command will show you top 5 protocols using up bandwidth:
    show ip nbar proto top-n 5

Link:
NBAR: http://cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html
0
 
LVL 5

Accepted Solution

by:
WGhen earned 250 total points
ID: 18053113
Hi,
We do this all the time.  If it is a Cisco switch, you span a port to the sniffer port.  So if the server is connected to switch port 5/7 for instance, and the sniffing device is on port 8/38, you would enter (for CatOS):

CatSwitch> (enable) set span 5/7 8/38

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

CatSwitch> (enable) sh span

Permit List     : disabled
Permit Port List: None

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

Total local span sessions:  1


_______________________________________
Or for IOS switches:

monitor session 1 source interface fa5/7
monitor session 1 destination interface fa8/38


WGhen
0
 
LVL 1

Author Comment

by:dtocco
ID: 18056476
Thanks for all the responses.  That was exactly what i was looking for and was very helpful and educational.  
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How DHCP Works in Wired/Wireless network 21 146
Advertise subnet not directly attached 6 31
Help logging in to my router 12 48
Cisco 3560 Switch with Multiple Gateways 10 68
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question