Network Sniffing 1

[bfletch]

I am new to "Network Sniffing". I understand the concept, but don't know where to go to get explination for the results I am getting. I just installed the program Ethereal and I am getting alot of info on ARP, NBP, IPX. Does anyone have any good site to teach me what to look for or explain the results I am getting?

Appreciate any help.

Thanks.

 

[Sympology]

If you don't know what IPX and ARP are your really going to struggle.
You need to start right at the beggining of of networking.
This is a good start for you, and carries some advanced stuff as well.

http://www.firewall.cx/

Bit of help for now:

IPX - Novell protocol, similar to TCP/IP (yes I know TCP/IP is actually a suite and not a single protocol). Pretty much obsolete these days.
ARP this is a request for an address, bit like a "hey, anyone know where Dave's computer is?" in networking world.
NBD, think this is a Linux thing, may be wrong though.

STu..


Only the truly stupid believe they know everything.
Stu.. 2004

 

[bfletch]

I know what the acronyms are, I just do not understand what the log is telling me.

For example:

192.168.4.202 - Broadcast - ARP - who has 192.168.4.131? Tell 192.168.4.202

I just wanted some info on the varies things that network sniffing will tell you and what to look for.

Thanks.

 

[pansophic]

The ARP request that you are looking at is 192.168.4.202 trying to get the MAC address of 192.168.4.131 so that it can send a packet to it. You should see a corresponding ARP response with the MAC address of 192.168.4.131.

I always felt that the best tool for learning what Ethereal was collecting was to read through the treeview section in the middle of the Ethereal window.

If you right click on a TCP packet in the listview at the top of the Ethereal window, you can "follow TCP stream" which will give you a really good understanding of the flow of a given TCP protocol. You'll see the SYN, SYN/ACK and SYN/ACK three way handshake. Then you'll see things like the HTTP request packet. One or more HTTP response packets. And on and on and on.

Are you trying to track down some problem, or just playing with a new toy?

Sniffing clear-text protocols like http, telnet and ftp cna be a real eye opener.


pansophic

 

[bfletch]

Thanks for the feedback. I guess I am playing with a new toy. Trying to verify everything is smooth on the network, so trying to take a more proactive approach as opposed to a "fire drill" scenario when something does happen. If you could tell me if this is common I would appreciate it. The only protocols that are showing up in Ethereal log are

ARP
AARP
DHCP
ICMPv6
IPX
MDNS
NBP
PPPoED
ZIP

I have not had one TCP protocol yet to use the "Follow TCP Stream". Any suggestions?

Thanks.

 

[pansophic]

It looks like you may be running a Novell network (IPX/SPX) and AppleTalk network rather than a TCP/IP network.

Have you attempted to get to the Internet while Ethereal is running? You should see your HTTP requests riding on TCP/IP when that happens.

The protocols that you list are primarily either AppleTalk or Novell, which I have little experience with myself. I even had to look a couple of them up, to see what they were.

You may want to limit your filter to your own box, then do specific things like transfer a file, print, etc. Then disect the transfer to see what happened. I would probably buy a protocol reference for AppleTalk and Novell, just to have something to refer to when the protocol is binary, vs. plaintext.

Good luck, you have your work cut out for you.


pansophic

 

[bfletch]

This is where I am confused. I have over 80 nodes on my network. Some I am using Static IPs, others I am using DHCP off of my firewall. My network is 100% Microsoft (2003/2000). I am going to look and see where I can have Ethereal look at my box specifically, but if you could steer me, I would appreciate it. Again, thanks for all of the help so far.

 

[Sympology]

Have you any JetDirect / Lemark printers / print servers?
These have a habit of having IPX/SPX and Appletalk turned on by default, and therefore chuck out general junk associated with these. If you have turn off the protocols and see what happens
PPPoED is often used by ADSL providers for authentication.

Only the truly stupid believe they know everything.
Stu.. 2004

 

[pansophic]

You can start by using the filter "ip.addr == <your_ip_address>"

But to really get an accurate log, you'd want "eth.addr == <your_mac_address>"

What you just showed me doesn't look like a Microsoft network at all. Normally you'll see lots of SMB stuff being broadcast on the network.

You can get your MAC address either by doing an IP filter and pulling from the collection, or by issuing the "ipconfig /all" command.


pansophic

 

[bfletch]

I didn't think it looked like a Microsoft network eiter, that is why I am more confused. I have TCP coming up on Ethereal now, but did not do anything to start it. It alone seems to be getting the TCP traffic from my workstation running Ethereal. I have no filters on either, so I thought I should be getting all the tcp traffic. Any suggestions?

Thanks again.

 

[PeterHurst]

Check if you are using a switch port... if so you will only be seing traffic from your own machine plus broadcast traffic.

Depending on how busy your network is will depend on the amount of broadcasts you see, there should be some NetBios Name stuff, but IPX and Appletalk are much chattier, you could try leaving the monitor on for longer and then putting nbns into the filter window..

To get a better sniff you need to be in line with a common point - say the router, and enable the port you connect Ethereal to as a "mirror port" and set it to mirror the router's port.

In a worst case put a hub (not a switch) in line with the router and use the sniffer there, just be aware that sticking a hub in line can cause congestion and collisions though.

 

[pansophic]

Concur with the switch vs. hub assessment. If you have a managed switch, you can put a port in "mirroring" or "monitor" mode and see all of the traffic destined for another port. If you pick the router's port to mirror, you will see all of the traffic that is entering or leaving your network (should be primarily TCP/IP traffic).

Be careful about putting your own port in a mirror mode, as you generally cannot transmit on the mirrored port.


pansophic

 

[bfletch]

Great idea. I will give that a try when I have some down time to play. In the meantime, I might just put a hub in betweed to see what the results are.

Thanks again.