chrissanders.org— A great guide on using Ethereal to sniff packets and how to use that information to diagnose various network problems. Contains some great example trace files with information on how to interpret them.
Jul 5, 2006View in Crawl 4
Ethereal isn't an abandoned project. Ethereal IS Wireshark because of a name change due to copyright infringement and right now, the current Wireshark and Ethereal versions are very similar.
You sir do not know the difference between a hub and a switch. Switches route based on MAC addresses, therefore you only receive traffic which has a Destination MAC equal to that of your PC's NIC regardless of whether or not the NIC is in promiscuous mode. A Hub on the other hand will send all traffic to all ports which it did not originate from. Most Hubs for sale are really switches making things more difficult. However if you overload a switch it MAY fail into Hub mode, assuming its not French, because then it would just surrender.
Until recently I worked for the World's second largest Ethernet switch manufacturer - 3Com - in their security division. A lot of what is written above is, well, bollocks. Some of it is also well researched and informative.Both hubbed and switched Ethernet can utilise both broadcast and multicast addresses. Infact RARP (Reverse Address Resolution Protocol defined in RFC 903) which is used to resolve MAC addresses (physical OSI Layer 2 addresses) into IP addresses (logical OSI Layer 3 addresses) utilises Ethernet ARP so all machines on an Ethernet network can see the RARP packet.Running an interface in promiscuous mode will not show you all traffic flowing through a switch to which you are attached, but it will show you all traffic following through a hub to which you are attached. Ethernet's original standard worked without anything like a hub or a switch, it had a bus topology and utilised a single piece of cable with terminators at each end to stop the signal being reflected back down the wire:[T]============================[T]With the think coaxial version known commonly as 10BASE5 or thicknet, physical 'taps' cut through the cable casing into the cable and 'drop' cables utilised Media Access Unit (MAU) interfaces to attach between the Network Interface card on the PC and the tap.[T]=====[TAP]=====[TAP]=====[TAP]=====[T] [MAU] [MAU] [MAU] I I I I I I [MAU] [MAU] [MAU] [NIC] [NIC] [NIC]As it is a bus, a piece of traffic going from the first station to the third station would be visible to the MAU/NIC of the second station. In non promiscuous *IGNORES* any traffic it sees for which is not address to its MAC address. In promiscuous mode it cares not for the address in the Ethernet segment and brings the traffic in for processing.Passing over thinnet or 10BASE2 which is practically the same architecture as 10BASE5 but utilised thinner coax and used small BNC connectors to form 'T's in the network cable instead of taps and skipping to 10BASET you introduce hubs into the equation.Hubs still utilise the same underlaying bus architecture as a 10BASE5/2 network. All they do is create a bus and the connection to the bus is made via a RJ45-ended cable.------------------ HUB -------------------------[ ]------[ ]------[ ]------[ ]------ I I I I I I I I [NIC] [NIC] [NIC] [NIC]Within the hub itself is the bus and all traffic is visible to all NICs, in non promiscuous again the NICs choose to ignore the traffic. In promiscuous mode it cares not for the address in the Ethernet segment and brings the traffic in for processing.The best way of looking at a switch without starting to talk about things like Carrier Sense Multiple Access/Collision Detect and Collision Domains (which is the mechanism Ethernet uses to avoid two of the stations on the same shared bus talking at the same time), is to look at a crossover cable connection between two PCs.[PC1]==================X===============[PC2]A cross over cable is exactly the same as a straight bit of Ethernet cable but wired so the transmit from one end goes to the receive at the end, and vice versa. A cross over cable enables a direct connection between only two Ethernet devices.When data enters a switch, the switch contains an internal table that lists the MAC addresses of all of the attached stations attached to each of its ports. Typically the switch will create in effect a virtual cross over cable between the source port of the packet and the port to which the table indicates that the destination MAC address is attached - no other ports on the switch will see the traffic even if their interfaces are set to promiscuous because in effect the two machines on either side of the connection have a direct one-to-one connection (this is a gross oversimplification because the switches may be cascaded but the basic principle remains). The only real way to see the switched traffic is to poison the table of the switch utilising something like ARP spoofing (Google it for further explanation, two of the best ARP spoofing tools IMHO have been mentioned already: dsniff and ettercap) or by utilising a switch vendor feature called SPAN ports (for Cisco) or mirror ports (for the rest of the World). Mirror ports are configured to circumvent the direct one-to-one connection by directing all or specific ports traffic down an additional port. This is most used to attach a packet sniffer such as Ethernet or an Intrusion Detection System to monitor the traffic.VLANs have been mentioned, these effectively group ports on a switch so that only certain ports can set up the one-to-one communications, effectively dividing one switch into several mini-switches.Blah digg screwed my lovely text diagrams up :-/
jpesicka2Jul 6, 2006
I farted......and it smells.
legendarysockJul 6, 2006
Ethereal isn't an abandoned project. Ethereal IS Wireshark because of a name change due to copyright infringement and right now, the current Wireshark and Ethereal versions are very similar.
revkaJul 6, 2006
no wai!from TFA:I obtained this trace file as well as a lot of others I will be using from Laura Chappell, Sr. Protocol Analyst for the Packet Level Protocol Analysis Institute (<a class="user" href="http://www.packet-level.com).">http://www.packet-level.com).</a>
nonsequitorJul 6, 2006
You sir do not know the difference between a hub and a switch. Switches route based on MAC addresses, therefore you only receive traffic which has a Destination MAC equal to that of your PC's NIC regardless of whether or not the NIC is in promiscuous mode. A Hub on the other hand will send all traffic to all ports which it did not originate from. Most Hubs for sale are really switches making things more difficult. However if you overload a switch it MAY fail into Hub mode, assuming its not French, because then it would just surrender.
jimmyblakeJul 6, 2006
Until recently I worked for the World's second largest Ethernet switch manufacturer - 3Com - in their security division. A lot of what is written above is, well, bollocks. Some of it is also well researched and informative.Both hubbed and switched Ethernet can utilise both broadcast and multicast addresses. Infact RARP (Reverse Address Resolution Protocol defined in RFC 903) which is used to resolve MAC addresses (physical OSI Layer 2 addresses) into IP addresses (logical OSI Layer 3 addresses) utilises Ethernet ARP so all machines on an Ethernet network can see the RARP packet.Running an interface in promiscuous mode will not show you all traffic flowing through a switch to which you are attached, but it will show you all traffic following through a hub to which you are attached. Ethernet's original standard worked without anything like a hub or a switch, it had a bus topology and utilised a single piece of cable with terminators at each end to stop the signal being reflected back down the wire:[T]============================[T]With the think coaxial version known commonly as 10BASE5 or thicknet, physical 'taps' cut through the cable casing into the cable and 'drop' cables utilised Media Access Unit (MAU) interfaces to attach between the Network Interface card on the PC and the tap.[T]=====[TAP]=====[TAP]=====[TAP]=====[T] [MAU] [MAU] [MAU] I I I I I I [MAU] [MAU] [MAU] [NIC] [NIC] [NIC]As it is a bus, a piece of traffic going from the first station to the third station would be visible to the MAU/NIC of the second station. In non promiscuous *IGNORES* any traffic it sees for which is not address to its MAC address. In promiscuous mode it cares not for the address in the Ethernet segment and brings the traffic in for processing.Passing over thinnet or 10BASE2 which is practically the same architecture as 10BASE5 but utilised thinner coax and used small BNC connectors to form 'T's in the network cable instead of taps and skipping to 10BASET you introduce hubs into the equation.Hubs still utilise the same underlaying bus architecture as a 10BASE5/2 network. All they do is create a bus and the connection to the bus is made via a RJ45-ended cable.------------------ HUB -------------------------[ ]------[ ]------[ ]------[ ]------ I I I I I I I I [NIC] [NIC] [NIC] [NIC]Within the hub itself is the bus and all traffic is visible to all NICs, in non promiscuous again the NICs choose to ignore the traffic. In promiscuous mode it cares not for the address in the Ethernet segment and brings the traffic in for processing.The best way of looking at a switch without starting to talk about things like Carrier Sense Multiple Access/Collision Detect and Collision Domains (which is the mechanism Ethernet uses to avoid two of the stations on the same shared bus talking at the same time), is to look at a crossover cable connection between two PCs.[PC1]==================X===============[PC2]A cross over cable is exactly the same as a straight bit of Ethernet cable but wired so the transmit from one end goes to the receive at the end, and vice versa. A cross over cable enables a direct connection between only two Ethernet devices.When data enters a switch, the switch contains an internal table that lists the MAC addresses of all of the attached stations attached to each of its ports. Typically the switch will create in effect a virtual cross over cable between the source port of the packet and the port to which the table indicates that the destination MAC address is attached - no other ports on the switch will see the traffic even if their interfaces are set to promiscuous because in effect the two machines on either side of the connection have a direct one-to-one connection (this is a gross oversimplification because the switches may be cascaded but the basic principle remains). The only real way to see the switched traffic is to poison the table of the switch utilising something like ARP spoofing (Google it for further explanation, two of the best ARP spoofing tools IMHO have been mentioned already: dsniff and ettercap) or by utilising a switch vendor feature called SPAN ports (for Cisco) or mirror ports (for the rest of the World). Mirror ports are configured to circumvent the direct one-to-one connection by directing all or specific ports traffic down an additional port. This is most used to attach a packet sniffer such as Ethernet or an Intrusion Detection System to monitor the traffic.VLANs have been mentioned, these effectively group ports on a switch so that only certain ports can set up the one-to-one communications, effectively dividing one switch into several mini-switches.Blah digg screwed my lovely text diagrams up :-/
osbjmgJul 6, 2006
Wiresark FTW
livewirelpJul 6, 2006
FYI to you OSX users... ethereal is available through Fink (<a class="user" href="http://fink.sourceforge.net/).">http://fink.sourceforge.net/).</a> Make sure you have X11 installed (on your OSX DVD if you have tiger)
livewirelpJul 6, 2006
double post... sorry