Slashdot Mirror
Preliminary Ethereal User's Guide
An Anonymous Coward writes "The prelimiary Ethereal User's Guide is up.
It will be updated over the next month or so, and will be followed by a Developer's Guide.
It is all done in DocBook and the source will be up at the Ethereal web site." If you haven't used ethereal, its an extremely excellent packet sniffer: play with it a little and you'll never use telnet and FTP again (unless of course you knew that already).
Of course that'll fix everything you idiot!
Investigate the latest version of Courier-IMAP which has built in support for IMAP-SSL/TLS, as opposed to using stunnel.
stunnel is great for a small number of connections, but the overhead of launching a new process every time is fairly significant as you scale up, so Courier does a great job of a lightweight, secure IMAP server.
You have to use maildir - but both Exim and qmail support it natively now, and it's far superior to the traditional mbox format anyway.
idiot
The Ethereal document makes a mistake that I see more and more. The stuff that comes before the main part of the text is the 'foreword' not the 'forward'. Maybe we ought to just shift to 'preface' since there's less chance to screw it up.
Of course look at this:
Mozilla/4.6 [en] (X11; U; Linux 2.2.14 i586)
Looks like Linux to me....
dude, this shit is fawking gay
Root can do just the same thing to you on an untrusted UNIX box. At least with S/Key he won't know your password.
*sigh* What's that saying about a little bit of knowledge being a dangerous thing?
Absolutely. Which is why John's comment is so relevant -- Let's suppose you're working for a Humorless Corporate, and you're found running Ethereal. No admin is going to be happy about it, most will go ballistic, and any pointy-hair is going to see it as a major end-of-job crime. In almost every site I've ever worked, that's a hanging offence for certain (in one Scottish waterfront site, I think it's still one of the few literally hanging offences on the British statute book !).
Are these people right ? How do I know; it all depends on what you did with it, but nearly every company, nearly everywhere, is going to see this as distinctly A Bad Thing.
I'm considering running it at work -- I'm working on streaming, and sniffing traffic from my servers would be pretty useful. Out of courtesy I'd warn the admins though, and I'm lucky in that ours are clueful enough to understand why this is reasonable.
Actually, I just checked it out. It is rather nice, however...
Etherpeek and NA Sniffer both do pretty much everything ethereal does.
Ethereal has some neat tcp stream watching features, which is rather unique.
Ethereal is more flexible in terms of filters, and certainly being open source and running on unix are great. However...
Ethereal does NOT seem to have any graph-drawing abilities. Etherpeek and the like can generate stats based on packet size distribution, protocol types, and several other factors. I find these very useful features.
Also, the GUI needs work. I mean, it's great, it's clean, it's great for unix, but etherpeek and NA sniffer both color code automatically, in several ways.
Also, it doesn't seem to have the ability to play back what it records into the network (useful for testing/using other devices to analyze captured data). Of course this can be accomplished with other tools, but Etherpeek and NA sniffer both do this out of the box.
Ethereal does seem to have a superior filtering mechanism; however, the filters in NA sniffer and etherpeek are also competent. (read: Ethereal has a kick-ass filter mechanism, but the others are adequate)
Also, when monitoring a busy network, displaying realtime results, etherpeek is unbalanced. screen updates are very slow, and it's a pain in the ass to use. NA sniffer and etherpeek stay smooth.
Yes, of course, NA sniffer and Etherpeek both costs $$$ ($1000 and up). Yes of course, they aren't open source, and of course, don't run on unix.
So.. from a free tool point of view, etherpeek is fantastic.
From a Sniffer point of view, Etherpeek has some neat features, but is not the best.
Um, a "triumph of open source" would be if you fixed it yourself and distributed a patch immediately; no waiting until 1.3, when it may or may not be fixed by Sun...
::sigh:: Sitting at the local high school and setting up a Linux ipmasquerade gateway... what I need, and I haven't been able to find, is a program that filters through the packets to forward and logs time, source IP and URL of the websites that pass through my gatewaybox. No browser proxy, just works on raw packets. Anybody know if something like this exists for Linux?
Yes, it's Big-Brotherism; no, I didn't like it either.
BRTB
Got a quick question. I know how to follow the TCP Stream and see the text generated. But is there a way to compile the packet stream into a file. Lets say someone ftps a file across the net, can I write that down to a real file? Please excuse my bad english..i am hungry and papajohns.com is slow...
Would this be artists getting payed whenever someone downloaded their work, or just a way for guys with large MP3 libraries to make some money sharing illegally?
Then again, many (most?) businesses use switched ethernet. Sniff till you go blind, unless you are mirroring a particular port on the same switch you ain't gonna see a whole lot of info.. ./bot
yeah but ethereal is cheap .. like where i work there are loads of protocols running and there are no docs ... also there are *4* Ip address schems running on the same set of wires ... and they wouldn't want to spend £1000+ just so i can fix their network .... anyhow i used lanalyser last and i think ethereal is mostly better ..
Heute die Welt, Morgen die SonnenSystem!
I agree that anyone who is knowledgeable and wants to remain undetected can probably do so. My warning wasn't addressed to the hackers/crackers out there (who, after all, don't need me to tell them about the dangers) but rather those who out of curiosity might run out and install this software on their work machine running, for example, Win98. If their network administrator suddenly notices that they're sniffing the local net, there're are going to be some questions asked. And legitimately so. There a are a number of ways, some easier to implement than others, to tell when there's a packet sniffer on your net. For a list, take a look here (scroll down to 2.5 - "How can I detect a packet sniffer?").
about ssh and ftp... why bother.. scp gives you secure file transfer and it comes with ssh
try
man scp
for more info
Papa Smurf Says "When You Live In A Mushroom Everyone Looks Blue"
Thanks to Ethereal, I discovered a bug in Java's HttpURLConnection. For some reason, after I would make rapid requests to a site, the HTTP headers wouldn't be set, even though I set them in my code. My debugging messages said that I was setting them, but when I used Ethereal to sniff the packets, whoops, they were set to their default values. I called up sun, and it was given a bug ID. They plan to fix it in the 1.3 release for UNIX. I can't tell you how much time this has saved me. It truly is a triumph of open source.
Lucky me, I also run VMWare, which flips on promiscuous mode anyway, so if someone is using a sniffer detector, I can always blame VMWare.
"This is not a company that appears to be bothered by ethical boundaries."
Attorney General Mike Hatch on Microsoft
S/Key's great but don't be surprised when your session is hijacked. Ooops I guess it isn't so great after all.
As for forwarding ftp read the ssh manual.
3. Fonts 102 -- Typography
Here, we discuss some typography basics. While this information is not essential, many font lovers will find it interesting.
3.1 Classifications of Typefaces
Fixed versus variable width
There are several classifications of typefaces. Firstly, there are fixed width fonts, and variable width fonts. The fixed width fonts look like typewriter text, because each character is the
same width. This quality is desirable for something like a text editor or a computer console, but not desirable for the body text of a long document. The other class is variable width. Most of
the fonts you will use are variable width, though fixed with can be useful also ( for example, all the example shell commands in this document are illustrated with a fixed with font ). The most
well known fixed width font is courier.
To serif or not to serif ?
Serifs are little hooks on the ends of characters. For example, the letter i in a font such as Times Roman has serifs protruding from the base of the i and the head of the i. Serif fonts are
usually considered more readable than fonts without serifs. There are many different types of serif fonts.
Sans serif fonts do not have these little hooks, so they have a starker appearance. One usually does not write a long book using a sans serif font for the body text. There are sans serif fonts
that are readable enough to be well suited to documents that are supposed to be browsed / skimmed ( web pages, catalogues, marketting brochures ). Another application that sans serif
fonts have is as display fonts on computer screens, especially at small sizes. The lack of detail in the font can provide it with more clarity. For example, Microsoft touts Verdana as being
readable at very small sizes on screen.
Notable sans serif fonts include Lucida sans, MS Comic Sans, Verdana, Myriad, Avant Garde, Arial, Century Gothic and Helvetica. By the way, Helvetica is considered harmful by
typographers. It is somewhat overused, and many books by typographers plead users to stay away from it.
The old and the new -- different types of Serif fonts
Old Style
Old style fonts are based on very traditional styles dating as far back as the late 15th century. Old style fonts tend to be conservative in design, and very readable. They are well suited to
writing long documents. The name ``old style'' refers to the style of the font, as opposed to the date of its design. There are classic old style fonts, such as Goudy Old Style, which wre
designed in the 20th century. The old style class of fonts has the following distinguishing features:
Well defined, shapely serifs.
Diagonal emphasis. Imagine drawing a font with a fountain pen, where lines 45 degrees anticlockwise from vertical are heavy and lines 45 degrees clockwise from verticle are light. Old
style fonts often have this appearance.
Readability. Old style fonts are almost always very readable.
Subtlety and lack of contrast. The old style fonts have heavy lines and light lines but the contrast in weight is subtle, not stark.
Notable Old Style fonts include Garamond, Goudy Old Style, Jenson, and Caslon ( the latter is contentious -- some consider it transitional )
Moderns ( or didone )
The moderns are the opposite of old style fonts. These fonts typically have more character, and more attitude than their old style counterparts, and can be used to add character to a
document rather than to typeset a long piece. However, nothing is black and white -- and there are some modern fonts such as computer modern and Monotype modern, and New Century
Schoolbook are very readable ( the contrast between heavy and light is softened to add readability ). They are based on the designs popular in the 19th century and later. Their distinguishing
features include:
Lighter serifs, often just thin horizontal lines.
Vertical emphasis. Vertical lines are heavy, horizontal lines are light.
Many moderns have a stark contrast between light and heavy strokes.
Modern typefaces with high contrast between light and heavy strokes are not as readable as the old style fonts.
Bodoni is the most notable modern. Other moderns include computer modern, and Monotype modern ( on which computer modern is based ).
Transitional
Transitional fonts fit somewhere in between moderns and old style fonts. Many of the transitionals have the same kind of readability as the old styles. However, they are based on slightly later
design. While a move in the direction of the moderns may be visible in these fonts, they are still much more subtle than the the moderns. Examples of transitionals include Times Roman,
Utopia, Bulmer, and Baskerville. Of these, Times leans towards old style, while Bulmer looks very modern.
Slab Serifs
The slab serif fonts are so named because they have thick, block like serifs, as opposed to the smooth hooks of the old styles or the thin lines of some of the moderns. Slab serif fonts tend to
be sturdy looking and are generally quite readable. Many of the slab serifs have Egyptian names -- such as Nile, and Egyptienne ( though they are not really in any way Egyptian ). These
fonts are great for producing readable text that may suffer some dilution in quality ( such as photocpied documents, and documents printed on newspaper ). These fonts tend to look fairly
sturdy. The most notable slab serif fonts are Clarendon, Memphis and Egyptienne, as well as several typewriter fonts. Many of the slab serif fonts are fixed width. Conversely, most ( almost
all ) fixed width fonts are slab serif.
The Sans Serif Revolution
Surprisingly, the rise of sans serif fonts is a fairly recent phenomenon. The first well known sans serif fonts were designed in the 19th early 20th century. The earlier designs include Futura,
Grotesque and Gill Sans. These fonts represent respectively the ``geometric'', ``grotesque'' and ``humanist'' classes of sans serif fonts.
Grotesque
The grotesques where so named because the public were initially somewhat shocked by their relatively stark design. Groteques are very bare in appearance due to the absence of serifs, and
the simpler, cleaner designs. Because of their ``in your face'' appearance, grotesques are good for headlines. The more readable variations also work quite well for comic books, and
marketting brochures, where the body text comes in small doses. Grotesques don't look as artsy as their geometric counterparts. Compared to the geometrics, they have more variation in
weight, more strokes, they are squarer ( because they don't use such circular arcs ). They use a different upper case G and lower case a to the geometrics. While they are minimalistic but
don't go to the same extreme as the brutally avant-garde geometrics.
Notable grotesques include the overused Helvetica, Grotesque, Arial, Franklin Gothic, and Univers.
Geometric
The Futura font came with the manifesto: form follows function. The geometric class of fonts has a stark minimalistic appearance. Distinguishing features include a constant line thickness (
no weight ). This is particularly conspicuous in the bold variants of a font. Bold groteques and humanist fonts often show some notable variation in weight while this rarely happens with the
geometric fonts. Also notable is the precise minimalism of these designs. The characters almost always are made up from straight horizontal and vertical lines, and arcs that are very circular (
to the point where they often look as though they were drawn with a compass ). The characters have a minimal number of strokes. This gives them a contemporary look in that they embrace
the minimalistic philosophy that would later take the world of modern art by storm. A tell tale sign that a font is a geometric type is the upper case ``G'', which consists of a minimalistic
combination of two strokes -- a long circular arc and a horizontal line. The other character that stands out is the lower case ``a'' -- which is again two simple strokes, a straight vertical line
and a circle ( the other ``a'' character is more complex which is why it is not used ). Notable geometrics include Avant Garde, Futura, and Century Gothic.
Humanist
As the name might suggest, humanist fonts were designed with a goal of being less mechanical in appearance. In many ways, they are more similar to the serif fonts than the geometrics and
the grotesques. They are said to have a ``pen drawn'' look about them. They tend to have subtle variation in weight, especially observable in bold variants. The curve shapes are considerably
less rigid than those of the geometrics. Many of them are distinguishable by the ``double story'' lower case g, which is the same shape as the g used in the old style serif fonts. The humanist
typefaces are the easiest to use without producing an ugly document as they are relatively compatible with the old style fonts.
Compatible Typefaces
Grouping typefaces is not easy, so it pays to avoid using too many on the one page. A logical choice of two typefaces consists of a serif and a sans serif. Monotype's Typography 101 page
provides a category-matchup. They conclude that the moderns and geometrics form good pairs, while the old styles and humanists also go together well. The transitionals are also paired with
the humanists. The slab serifs are paired with the grotesques, and some variants of the slab serifs are also said to match the geometrics or humanists.
From reading this, one gets the impression that their philosophy is essentially to match the more conservative serifs with the more moderate sans serifs, and pair the wilder modern serifs with
the avant garde looking ( pun unavoidable ) geometrics.
3.2 Ligatures, Small caps fonts and expert fonts
Ligatures
Properly spacing fonts brings with it all sorts of issues. For example, to properly typeset the letters ``fi'', the i should be very close to the f. The problem is that this causes the dot on the i to
collide with the f, and the serif on the head of the i to collide with the horizontal stroke of the f. To deal with this problem, font collections include ligatures. For example, the ``fi'' ligature
character is a single character that one can substitute for the the two character string ``fi''. Most fonts contain fi and fl ligatures. Expert fonts discussed later often include extra ligatures, such
as ffl, ffi, and a dotless i character.
Small caps fonts
Small caps fonts are fonts that have reduced size upper case letters in place of the lower case letters. These are useful for writing headings that require emphasis ( and they are often used in
LaTeX ). Typically, when one writes a heading in small caps, they use a large cap for the beginning of each word, and small capitals for the rest of the word ( ``title case'' ). The advantage of
this over using all caps is that you get something that is much more readable ( using all caps is a big typographic sin ).
Expert fonts
Expert fonts consist of several extras designed to supplement a typeface. These include things like ligatures, ornaments ( much like a mini-dingbats collection designed to go with the typeface
), small caps fonts, and swash capitals ( fancy, calligraphic letters ).
3.3 Font Metrics and Shapes
Font metrics define the spacing between variable width fonts. The metrics include information about the size of the font, and kerning information, which assigns kerning pairs -- pairs of
characters that should be given different spacing. For example, the letters ``To'' would usually belong in a kerning pair, because correctly spaced ( or kerned ), the o should partly sit under
the T. Typesetting programs such as LaTeX need to know information about kerning so that they can make decisions about where to break lines and pages. The same applies to
WYWIWYG publishing programs.
In addition to the metrics, is the font outline, or shape. The components of the fonts shape ( a stroke, an accent, etc ) are called ``glyphs''.
Try giving a URL for it.
I'll assume that you're referring to Analyzer from the folks at the Politecnico di Torino, the folks who also bring you WinDump, a port of tcpdump to Win32 systems, and WinPcap, a port of libpcap to Win32 systems (including drivers for Windows 9x and Windows NT, including NT 5.0^H^H^H^H^H^HWindows 2000), which is the library that Ethereal on Win32, Analyzer, and WinDump all use.
(The Politecnico di Torino site appears not to be responding at the time that I'm posting this; be patient - we sometimes get folks posting to the ethereal-users mailing list asking "that site is down, how do I get WinPcap?", for which the answer is "it's probably just temporarily down, try again later".)
I wish I could split the network into VLANs, but I don't have the equipment or authority. Alas ...
It could go as low as you were moderated down you dumbass
Switched networks aren't impervious to sniffing. Switches were developed for speed, not security.
If you're sniffing your local Ethernet network at work, be careful. To watch net traffic, the Ethernet interface must be put into 'promiscuous' mode (accepts all packets, even if not addressed to your particular machine). Some network administrators are sensitive to this sort of thing, since it can be used to compromise security. There are software tools that can detect when a machine has an Ethernet interface in this mode, and they may be in use at your organization. Be prepared to explain why you're monitoring the net traffic.
Seriously however, I've tried most Windows packet sniffers and ugh, no good. The only reasonable one is Microsoft's own sniffer, which is out of the price range of someone trying to troublehsoot HTTP streams.The rest of them usually manage to blow out your connection.
I'm hoping the FBI uses this as their sniffer so my email address doesn't get munged onto the Child Porn Pirates email traffic.
Don't you mean BLOWFISH or something that doesn't do:
$ssh=~ tr/a-zA-Z/n-za-mN-ZA-M/;
then:
$ssh=~ tr/a-zA-Z/n-za-mN-ZA-M/;
to decrypt.
Why do I bother?
Maybe it's because I'm an idiot but I dont' understand how using a packet sniffer is going to cause me to stop downloading stuff.
As long as you only log in anonymously you don't have to worry, but if you log in using FTP on a site where you want to be sure that noone is messing with your private files you should use another protocol (or some ftp+ssl solution).
--
Ner lbh sebz gur HFN? Gura lbh'ir whfg ivbyngrq gur QZPN!
More fun is to do bgColor='#ff00ff'
instead of location.
But I have other bugs than the any tag on fake email.
As a previous poster indicated (humorously), you should use SSH for any remote administration. You can also use SSH along with a POP or IMAP server so that your password isn't passed in cleartext everytime you check your e-mail. (There are other ways to encrypt your password over POP, but I'm not sure about IMAP. I would think there is though.) For file transfer, you can use SFTP, SCP, or regular FTP forwarded over SSH.
When I worked in networking, a sniffer that could decode the protocol I dealt with was the only real tool I used. At the time Lanwatch was the only one that could really decode the protocol I used.
That's well and good. Everyone loves good sniffers, but maybe you should attatch some information about how we can protect our sensitve information. To stop those crackers from getting at my supply of pron. Again.
Why is there no spoon?
The List of Grievances with Slashdot.
If you haven't used ethereal, its an extremely excellent packet sniffer...
I remember showing Ethereal to some guys who did network troubleshooting for a living, and they were astounded. I highly recommend giving it a try.
Don't sweat the petty things. But do pet the sweaty things.
A better manual would have come in handy when I was trying to use the filter option to isolate packets.
Who knows, maybe support for SSL will come next? I'd love to be able to snoop and decipher ssl data on the fly (If I had access to the private key of the enciphered stream).
-- Good judgement comes with experience. -- Experience comes with bad judgement.
Ah, the joys of binary non-compatibility; UCD SNMP 4.1.1, which RH 6.2 picked up, changed a routine Ethereal uses into a macro, which meant that the Ethereal in the binary RPMs, which were built on RH 6.1, and linked with the UCD SNMP shared library, don't work on 6.2, as a routine it calls isn't present in the 6.2 UCD SNMP shared library. (UCD SNMP 4.1.2 turned that and other macros back into routines; I filed a bug with Red Hat suggesting that they pick up 4.1.2, which, as I remember, they said they'd do in 7.0.)
I threw into Ethereal 0.8.10 a greasy hack, inspired by greasy hacks I've been told are used on Windows to e.g. allow applications to use new DLL routines if present on a particular system without blowing up if they aren't, to work around that.
Whilst it worked on my simulation of that situation on my Debian 2.1 partition, it appears not to work on RH 6.2; I have some diagnostic information from one user who reported that on the ethereal-users mailing list, and will see if I can check in a change more likely to make it Just Work.
That's all you did? Just installing those two RPMs? That's bizarre - what files did installing those two RPMs add to your system?
Or is there an "I then recompiled from source" step after that step?
A great resource that I refer to alot:
Sniffing (network wiretap, sniffer) FAQ
M$: "We're #2!"
Don't like fags do ya? Hmm. Maybe you should think about why.
Get comfortable with yourself and you'll be comfortable with others.
- Desi
Normally (non-promisc) the hardware filters out packets that dont match your MAC. When you go into promisc mode, this is moved into the domain of the OS.
/*
Now the way to find out is to send frames with valid IP data, but to a invalid MAC. Normally the card would filter this out, but *gasp* it doesnt, its in promisc mode.
Thats how the promisc scanners find data. Some OSs will drop the invalid MAC (realizing its not their own) others accept it assuming that the hardware would filter it out
*Not a Sermon, Just a Thought
*/
*Not a Sermon, Just a Thought
*/
Sniffer programs are also useful if you only care about the traffic between two machines, at least one of which is capable of running the sniffer program (or can otherwise produce a network trace file). Perhaps that's less common for network administrators than for software developers, but if you're a developer at a manufacturer of, well, Network Appliances, packet analyzer programs can come in very handy even if you can't see all the traffic on a network segment.
``...play with it a little and you'll never use telnet and FTP again''
Of course, people forget about their mail a lot. Here at UMN, our central mail servers run stunnel, so you can read your POP3 or IMAP mail over an SSL tunnel. Before I found out that they were doing this, I was really bothered by how many people could be sniffing my password. I had tried usin SSH tunnels, but that required you to stay logged in.
New versions of Netscape Communicator do support SSL, and I believe recent versions of mutt do too.
--
Ski-U-Mah!
If you're using Windows, at least.
You'll need WinPcap to get it to capture packets at all - but you'll need WinPcap to get Ethereal to capture packets on Win32 as well.
The Politecnico di Torino folk also have WinDump, a port of tcpdump to Win32, also using WinPcap.
Or just go to the Analyzer site (I'm assuming from the reference to WinPcap that you're talking about the Politecnico di Torino Analyzer). If the site isn't up, try again later.
on the local machine, it's easy to detect promiscuity, but you can't readily deduce this about a machine elsewhere on the network.
I am going to use a sniffer in the near future to sniff ICQ (2000) packages. So I would like to try a few.
What other (good) sniffers are their for the Windows platform?
Sorry that doesn't work, Leave it to the real bug finders
To watch net traffic, the Ethernet interface must be put into 'promiscuous' mode (accepts all packets, even if not addressed to your particular machine).
true
Some network administrators are sensitive to this sort of thing, since it can be used to compromise security.
According to the sniffit FAQ detecting 'promiscuous' mode is only possible if the os is broken or not configured properly. It is my understanding that linux or even win32 in this mode would be very hard to detect.
Perhaps you recall slashdot's article about packet sniffer-sniffers from Lopht. There is much skepticisim as to whether or not 'Antisniff' can really work as it seems to make alot of assumptions about the machines it scans. If memory serves, one of the tests is to send a message to the client machines and record the time it takes to respond. Then in the future if it respond significantly slower something may be up. Another is to try to overload machines by sending a large number of forged packets all good machines will ignore and the promisc machine will choke on.
With the current state of ethernet sniffing is basically risk free.
The only down side is that you need to be within the same subnet as the victim machine.
It seems really strange, all things considered, and how much people complain about the insecurity of FTP.
TheGeek
TheGeek
http://www.geekrights.org
Kill the monkey
I used to get a lot of use out of my Sniffer (the original one from Network General). I solved a lot of network problems on both ethernet and token ring with that tool. Unfortunately, I don't get to use it much, anymore. Ethernet switches are cheap nowadays, and as a result, networks are more finely segmented, sometimes down to the single node level. Switches, working as designed, filter out all the traffic that's not explicitly unicast towards the sniffer's MAC address (or broadcast, of course). As a result, you don't get the whole picture of what's going on with your network.
Some switches can be programmed to put a port into 'diagnostic mode' (forward all packets to this port because there's a sniffer there) but it's usually more trouble than it's worth, especially when you have a large building with a dozen or more switches.
That said, I'll probably still try out Ethereal. For the times that I still can make use of a sniffer, it'll be nice to get that DOS partition off my laptop.
--
Tired of FB/Google censorship? Visit UNCENSORED!
Maybe it's because I'm an idiot but I dont' understand how using a packet sniffer is going to cause me to stop downloading stuff.
Or do we see a lot more of these VA Linux Conspiracy theories posted right after X-Files?
Coincidence.. I think not.
Weapons of Mass Analysis
True h4x0rs don't use distros. They write their entire system with binary editors.
--
Escher was the first MC and Giger invented the HR department.
relying on such mechanisms can prove troublesome
.oO0Oo.
turn one port in to hub mode and see everything
and you happily operate as though everything is tickety boo as you telnet and su your way around your network
one rogue employee and it's asta la vista I believe
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Cheops is a network "swiss army knife". It's "network neighborhood" done right (or gone out of control, depending on your perspective). It seems that the development has slowed down a bit though.
Have a look at:
http://www.marko.net/cheops/and
http://www.marko.net/cheops/features.htmlRFC1925
Well, you learn something new every day.
Actually, there has been systematic discrimination against ghosts in computer games since the early days. The ghosts were none too happy about being cast as the villians in Pac-man, for example.
But things are starting to look up. Programs specifically targetted at ghosts are starting to appear -- first came Ghostscript, and now there's Ethereal.
Obviously switched topologies do make it harder to get visibility of the entire network. However, some products including NAI's Sniffer range do allow you to set a span port on your switch (from inside the Sniffer software in some cases) and then sniff the mirrored port. Additionally, you can send traps from the switch to NAI's Sniffer that will allow it to snap to switch generated alarms on a port, or it will do port roaming. So while you do get a cut down view, you get some visibility into potential issues.
Additionally, you need to consider your network design - VLANs are a good environment to incorporate Sniffer into. And there is always more to sniff than just your LAN. You might want to keep an eye on your ATM or Gigabit backbone, your Packet over Sonet links, or Frame Relay, HSSI, HDLC, PPP, etc. I know you can do all of that and a bit more with the NAI Sniffer, so I wouldn't rule out Sniffing as a network management tool!
I'll get off my soapbox now, shall I?
Snifferchick
*sigh* What's that saying about a little bit of knowledge being a dangerous thing?
SOME NICs will "chirp" when put into promiscuous mode. SOME OSes will exhibit slightly different behavior on their TCP/IP stack when the NIC is running in promiscious mode.
But all of that is irrelevant. Anyone who seriously wants to sniff your network will snip the Tx lines on a special patch cable. Then it doesn't matter what the NIC or OS is doing - nobody will see anything coming out of that NIC. The only(?) way to detect it is by checking line impedence - something a well-stocked site could handle, but not most businesses or schools.
Obviously, this trick will also keep you from actually doing anything useful -- and that itself might be suspicious. (Or might not, if this "dead" system is sitting in a dorm room or otherwise unoccupied office.) But if you have access to a hub (official or not) and a second NIC....
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken