• United States

How to sniff a network

Aug 30, 20043 mins
Network SwitchesNetworking

I’m learning how to use a protocol analyzer to resolve different problems on our network. Our net is a hodge-podge of equipment; some parts are still using hubs and others are using more up-to-date Ethernet switches. Which is the best way to connect a protocol analyzer to an Ethernet network in order to “sniff” the packets on the wire?

– Via the Internet

The best way to connect to a network to analyze the packets depends in great part on the kind of equipment you have available. In earlier days of networking, the answer was simple – just plug into a hub and you were ready to go. With Ethernet switches today, the answer starts to become “It depends.” By design, most switches won’t allow you to see the traffic from a server destined for a workstation other than the one you’re at. This can be done but involves something called port mirroring. This is where you copy the traffic destined for one port on the switch in question to another port. There are two types of switches – unmanageable and manageable. Unmanageable switches are cheaper than their manageable counterparts and generally lack the ability to do port mirroring. Just because your switch says it is manageable may mean little more than it supports SNMP and still may not let you do port mirroring. This is an important item to clarify when you buy additional switches for your network.

If your switches don’t support port mirroring, you still have a couple of options. It is possible in most cases to put a hub between a workstation under test and the network. You can plug your protocol analyzer into the hub and see both sides of the traffic. Just because your hub says on the outside that it is a hub doesn’t mean that it’s on. Some of the vendors in the entry-level end of the market sometimes use the same production line to produce hubs and switches, so you may have a switch that’s a hub and a hub that is actually a switch. In doing some research on open-source software recently, I found information on how to make a passive Ethernet tap. This is an interesting idea that presents a unique solution to a problem. With the passive Ethernet tap, you can put it inline between a network and a system under test and look at just one side of the conversation without having to implement additional filtering within the analyzer you are using. This does mean you won’t be seeing all of the conversation at once, so you may have to do some additional packet captures to get the whole picture. The parts to build this should run around $20 and it doesn’t require any power to make it work. It’s a good thing to have in your bag of tricks when a hub isn’t available or can’t be used for one reason or another.