Solved

Sniffing and packet analyzer question

Posted on 2006-11-30
5
2,024 Views
Last Modified: 2013-12-07
I have a question regarding packet sniffing a particular host on a switched network.  i am using Ethereal (b/c it's free) and would like to gather and report on the traffic i collect.    

The host machine is running a specific, bandwidth-intesive application.  There are multiple hi-res images involved and streaming data.  The performance of this host has been suffering since installation, especially when compared to similar workstations installed throughout the organization.  but the vendor will not reload the app or rebuild the workstation until i run a sniffer.  

The switch that my sniffer laptop and target host are on is a cisco 3560.

my question is this:   How do i get around the switch's arp table and sniff the incoming/outgoing packets from the target host?  as you know, b/c of the switch's arp table, the traffic that is intended for the target host is going directly to it. and vice versa.  now i have read about arp-spoofing and arp-poisoning, but aren't those a little malicious for a simple network admin task?  is there maybe a setting on the cisco switch that i can change, or do i really need to run a seperate app to spoof my switch into sending my sniffer laptop data?  

any help or direction would be greatly appreciated!

thanks!
dt

 
0
Comment
Question by:dtocco
5 Comments
 
LVL 6

Expert Comment

by:ryandale56
ID: 18049862
I recommend you use the "span" feature of the cisco switch.  You can configure a port to mirror traffic that is going through the switch out one port.

http://www.cisco.com/warp/public/473/41.html
0
 
LVL 4

Expert Comment

by:Trilotech
ID: 18050381
I like ryandale56's suggestion.

If you do not want to do that you could always put a cheap hub between that computer and the switch and plug yourself into the hub as well it to sniff the traffic. Band-aid sniff, but should work!
0
 
LVL 1

Expert Comment

by:shamim316
ID: 18050783
You can enable NBAR (Network Based Application Recognition) on the switch interface. This would enable you to get an idea of what percentage of bandwidth is being used for what protocol. When the app is running check the nbar report and that will show the bandwidth utilization of the protocol the app is using.

Following command will show you top 5 protocols using up bandwidth:
    show ip nbar proto top-n 5

Link:
NBAR: http://cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html
0
 
LVL 5

Accepted Solution

by:
WGhen earned 250 total points
ID: 18053113
Hi,
We do this all the time.  If it is a Cisco switch, you span a port to the sniffer port.  So if the server is connected to switch port 5/7 for instance, and the sniffing device is on port 8/38, you would enter (for CatOS):

CatSwitch> (enable) set span 5/7 8/38

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

CatSwitch> (enable) sh span

Permit List     : disabled
Permit Port List: None

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

Total local span sessions:  1


_______________________________________
Or for IOS switches:

monitor session 1 source interface fa5/7
monitor session 1 destination interface fa8/38


WGhen
0
 
LVL 1

Author Comment

by:dtocco
ID: 18056476
Thanks for all the responses.  That was exactly what i was looking for and was very helpful and educational.  
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question