Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Sniffing and packet analyzer question

Posted on 2006-11-30
5
Medium Priority
?
2,032 Views
Last Modified: 2013-12-07
I have a question regarding packet sniffing a particular host on a switched network.  i am using Ethereal (b/c it's free) and would like to gather and report on the traffic i collect.    

The host machine is running a specific, bandwidth-intesive application.  There are multiple hi-res images involved and streaming data.  The performance of this host has been suffering since installation, especially when compared to similar workstations installed throughout the organization.  but the vendor will not reload the app or rebuild the workstation until i run a sniffer.  

The switch that my sniffer laptop and target host are on is a cisco 3560.

my question is this:   How do i get around the switch's arp table and sniff the incoming/outgoing packets from the target host?  as you know, b/c of the switch's arp table, the traffic that is intended for the target host is going directly to it. and vice versa.  now i have read about arp-spoofing and arp-poisoning, but aren't those a little malicious for a simple network admin task?  is there maybe a setting on the cisco switch that i can change, or do i really need to run a seperate app to spoof my switch into sending my sniffer laptop data?  

any help or direction would be greatly appreciated!

thanks!
dt

 
0
Comment
Question by:dtocco
5 Comments
 
LVL 6

Expert Comment

by:ryandale56
ID: 18049862
I recommend you use the "span" feature of the cisco switch.  You can configure a port to mirror traffic that is going through the switch out one port.

http://www.cisco.com/warp/public/473/41.html
0
 
LVL 4

Expert Comment

by:Trilotech
ID: 18050381
I like ryandale56's suggestion.

If you do not want to do that you could always put a cheap hub between that computer and the switch and plug yourself into the hub as well it to sniff the traffic. Band-aid sniff, but should work!
0
 
LVL 1

Expert Comment

by:shamim316
ID: 18050783
You can enable NBAR (Network Based Application Recognition) on the switch interface. This would enable you to get an idea of what percentage of bandwidth is being used for what protocol. When the app is running check the nbar report and that will show the bandwidth utilization of the protocol the app is using.

Following command will show you top 5 protocols using up bandwidth:
    show ip nbar proto top-n 5

Link:
NBAR: http://cisco.com/en/US/products/ps6616/products_ios_protocol_group_home.html
0
 
LVL 5

Accepted Solution

by:
WGhen earned 1000 total points
ID: 18053113
Hi,
We do this all the time.  If it is a Cisco switch, you span a port to the sniffer port.  So if the server is connected to switch port 5/7 for instance, and the sniffing device is on port 8/38, you would enter (for CatOS):

CatSwitch> (enable) set span 5/7 8/38

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

CatSwitch> (enable) sh span

Permit List     : disabled
Permit Port List: None

Destination     : Port 8/38
Admin Source    : Port 5/7
Oper Source     : None
Direction       : transmit/receive
Incoming Packets: disabled
Learning        : enabled
Multicast       : enabled
Filter          : -

Session Number  : 1

Total local span sessions:  1


_______________________________________
Or for IOS switches:

monitor session 1 source interface fa5/7
monitor session 1 destination interface fa8/38


WGhen
0
 
LVL 1

Author Comment

by:dtocco
ID: 18056476
Thanks for all the responses.  That was exactly what i was looking for and was very helpful and educational.  
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question