Slashdot Mirror
What Network Sniffing Tools Do You Use?
network-nose asks: "I work as a Network Administrator in a 500 user manufacturing facility in southeastern Wisconsin. My job is to keep the company running as close to 100% of the time as possible while trying not to spend any money on up to date hardware and software. As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets. I am wondering what tools the rest of you network guys and gals out there use in a corporate environment for analyzing packets. Of course, the more reasonbly priced the better, but I know you usually get what you pay for."
That's it.
and on Windows, never mind.
ethereal, tcpdump
My job is to keep the company running as close to 100% of the time as possible while trying not to spend any money on up to date hardware and software
Are you trying to steal my job?I tend to use tcpdump when I am watching a box using a specific filter and expecting very little traffic, i.e. when I want to know if a certain host is communicating on some arbitrary port or protocol. Ethereal I use when I want to capture tons of data and sift through it later (although you can do this with tcpdump and import it into ethereal as well).
Tcpdump is generally considered the superior learning tool, while ethereal is considered the more refined choice. In other words, ethereal does a lot of the work for you, while you are getting pretty raw stuff when you use tcpdump.
In general, tcpdump and ethereal are the tools of choice if you don't have tons of money to spend. Fancy looking enterprise applications essentially do the same thing as the apps mentioned above -- they just add a nice GUI to the mix.
dmiessler.com -- grep understanding knowledge
I've used Sniffer Pro, Observer Pro, and Ethereal, and I always, ALWAYS prefer Ethereal. It's free, it's open source, and it's hands down the best of the lot. Sniffer Pro may have the pretty gauges and the map that shows what's talking to what (utterly useless, IMHO), and Observer Pro comes with buttloads of tools for things like SNMP configuration and whatnot, but as a sniffer, nothing has ever beated Ethereal in ease of use, capability, or packet decodes.
For your security, this post has been encrypted with ROT-13, twice.
Reveals Ethereal:
http://sourceforge.net/projects/ethereal/
While I can't personally vouch for it, I know that it has a decent reputation, and well can't beat the price at $0.
...in bed
Ethereal! It's a very high-end multi-platform sniffer with numerous features, as well as excellent GUI and command-line interfaces that are a joy to use. It has all the features you'd expect in high-end commercial network sniffers, and it's free!
I made a PHP/MySQL library that prevents SQL injection & makes coding easier!
Two college kids wrote an interesting interpretive packet sniffer called ZAsniffer (I gather the Z and A are from their respective last names).
I found it to be quite nice for monitoring telnet usage and I use it a lot.
Personally I prefer Solaris's snoop. Linux has built in sniffers as well. And they are free (as in GPL).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Ethereal. I just like to see who's hitting my iTunes share.
-my other sig is your mom
Ummm...
Ethereal for checking out packets.
Thought it was obvious with a little googling...
Can you ping me now? Gooood! | Manhappenin.Net - Things to do
What kinds of problems can only be figured out by sniffing packets? Rogue programs? Unauthorized porn downloads? Illegal P2P activity?
On a properly configured network, where are the points of failure that can't be figured out with any other method besides packet sniffing? If these problems exist, would it be worthwhile to incorporate functionality directly into the networking software to watch for these problems and fix them automatically?
I have been pwned because my
Hands down, Fluke.
http://www.flukenetworks.com/us/default.htm
Alcohol & calculus don't mix. Never drink & derive.
Wait! Wait!
:P
Don't mark me offtopic yet!
Between sniffing different, strong scents (geeks, think about it), coffee beans are perfect for clearing you sense of smell.
That being said. Ethereal.
Anyway, try it sometime. Works well. Lots of people who sell the better kinds of incense will keep (good) coffee beans around for precisely this purpose.
Karma: Chameleon (mostly due to the fact that you come and go).
- Ethereal
- hping
- tcpdump
- tcpflow
Ahh, the staples of my diet. What my roommates don't know won't hurt 'em"I either want less corruption, or more chance
to participate in it." -- Ashleigh Brilliant
nmap for scanning insecure.org Ethereal rox
Error: Id10t detected
snmp logging might not be all of the solution but it's helped my work out a bit with solving problems
coincidentally, I also work at a manufacturing facility in southeastern wisconsin...
.....an Oscilliscope. Read the bits off the wire. You'd be suprised what an Oscilliscope in the hands of a VERY well trained person can accomplish.
From their website:
Cool Features: Characters injection in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !!
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY
Remote traffic through GRE tunnel: you can sniff remote traffic through a GRE tunnel from a remote cisco router and make mitm attack on it
PPTP broker: you can perform man in the middle attack against PPTP tunnels
Plug-ins support : You can create your own plugin using the ettercap's API. List of available plugins
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming soon...)
Paket filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.
OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter
Kill a connection: from the connections list you can kill all the connections you want
Passive scanning of the LAN: you can retrive infos about: hosts in the lan, open ports, services version, type of the host (gateway, router or simple host) and extimated distance in hop.
Check for other poisoners: ettercap has the ability to actively or passively find other poisoners on the LAN
Bind sniffed data to a local port: you can connect to that port with a client and decode unknown portocols or inject data to it (only in arp based mode)
Port Stealing: a new method to sniff on switched LAN without ARP poisoning...
http://ettercap.sourceforge.net/
Activists United
we have been having quite a few network problems that can only really be resolved by sniffing packets.
By "packets" I hope you mean "Ethernet frames". Looking only at layer 3+ information can be useless for many network problems. Anyhow, brain dump:
Do your switches and LAN router(s) have statistic counters (# of frames of various sizes, undersided/oversized frames, flooded frames, deferred frames, etc)?
If you don't have a LAN router for 500 users: why?
What's the most amount of hops (switches) your packets will travel from one end of the LAN to the other? Any more than 3 and you should be putting a LAN router in there (ideally)
Do you have hubs? If so, destroy them all right now. Hubs are pure, unadulterated evil.
My point of that is simple: not all LAN problems are computer problems. Looking at the IP traffic doesn't always cut it. Re: the subject: At my workplace we have a nice LAN meter from Fluke. They aren't cheap but if you have that many users your company should damn well pay for the right tools for you to do your job.
Trolling is a art,
The number of ethereal recommendations is ridiculous, yet telling.
Ethereal!! Yeah, that's it. Everyone repeat after me. Ethereal!!!
Ummm what was the question again?
Like everybody else has said, you have those two, you're covered.
However, I find myself frequently using tcpdump to capture data, then downloading it and analyzing it in Ethereal on my workstation later.
tcpdump -w myfile.dump -s 2000
Of course, the more reasonbly priced the better, but I know you usually get what you pay for.
This is Slashdot, you'll lose an eye here faster than you will in a barfight for saying that free (beer and speech) GNU/Linux isn't better than costly (money and your soul) Windows!
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Don't forget the eternally useful.
I was recently clued-in to the existence of Argus.
It's really good for summarizing flow information in quasi-realtime, so it fills the niche of being more detailed than NetFlow, but more big-picture than tcpdump or ethereal.
Does SIP and STUN, and oh yah, how could I forget, SCCP.
As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets.
What kind of problems are you talking about? On ethernet level? On IP level? On application level?
They all have different approaches, and all have different tools.
bash$
-------
Create a WAP server
++insightful.
Are you THAT fucking stupid? How long have you been a "network administrator"? Which part of Google and basic documentation do you not understand?
This is why I cringe when the IRS talks about how many "CIO"s they've bene through trying to get their software right. I'm afraid that the submitter is the only type of person who would apply for a government job doing information systems. These are sad, sad times for technology.
I use ethereal for the sniffing portion, then ettercap for sniffing on switched networks. Ettercap uses arp poisoning to get around not being on a spanning port or hub. Careful though, may break your network depending on the switch.
I use tcpdump UNIX-side, and Ethereal Windows-side. Personally? I find Ethereal hard to use, but it gets the job done. I've traced down bugs in OpenBSD TCP stacks with it on my production servers. I've tried half a dozen other packages but they didn't add enough value to make them worth trying to hit my boss up for cash.
To install Ethereal, you will need to download and install the low-level WinPcap driver.
And you may find the Ethereal packet analysis plug-in Packetyzer helpful; sometimes reading raw logs gets a bit annoying.
--LP
I sniff with Olfactory 1.0.
Karma: -2147483648 (Mostly affected by integer overflow)
While it probably does suit the poster, I have to say for network diagnostics, Sniffer Pro is awesome. With the right network cards, it goes right down to the network layer, pulling out collision stats etc, and can even go and setup your switches for monitoring using rmon.
Got wan problems, Sniffer can work with a Y cable and hardware decoder to watch your WAN.
They even have long term trending and reporting tools. Its maybe the one tool that Network Associates does right.
Ethereal and TCPDump are good for protocol analysis, but most network problems I've delt with are not really at the application layer, but more the pysical layer. (Dodgy Network Cards, Flat network designs with hundreds of hosts, causing your collision rate to go through the roof etc)
The other thing that I like about sniffer, is its made for people that might not have degree's in network analysis. Its got that Expert System. It will throw at you all the errors it finds, and is good enough to tell you what those errors means.
Lastly, The export feature is great. Does my boss want to know what is the biggest talker on the network, Let sniffer run for a few hours, export to excell, and I can give him the top 10/20/50, I can break it down further by protocol or application, and can even tell him who the partners are.
I know there are other tools out there that can do all this, (ntop, ethereal, tcpdump, rrd's) but thats exactly my point. They are different tools, they don't work together, and imho, none of them are true network diagnostic tools.
I'm Ex NAI employee btw, so maybe a bit biased, but I still use Sniffer (legit copies) to this day. There are only a few reasons why I still have a windows drive for my laptop, and Sniffer is no. 1)
dsniff and ethereal. If you're talking windows, just install cygwin and you'll be able to build all your own tools from source. doesn't get cheaper than Free.
FreeBSD for the impatient.
One of the common network administration problems that software tools aren't very good at is finding where wires go when they're behind furniture or walls. Wires are pretty much like string, and my cats like to chase string, so I send them out to chase the wires, listen for the thumping noises, and see where the cat comes out. Doesn't work every time, and sometimes they'd rather chase mice than wires, but one of my cats really like chomping on RJ45 jacks, so if I suspect that a problem is related to an unplugged RJ45, he's the one for the job.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I've used ethereal on Win32, but didn't the like gtk wierdness. So..my recommendation if you're on windows network is Packetyzer. It's free, it's based on Ethereal, and it runs great on Windows.
I'm curious, what exactly are you looking for that you'd need to be sniffing packets? Is your large network running on daisy-chained hubs and you're getting broadcast traffic? Spit? Bailing wire?
It's 11PM, do you know where your pants are?
For windows get winpcap
then get ethereal for windows
and get windump
SANS.org has all the info: Packet capture apps
...people could be more constructive if you could qualify what "problems" you mean. Network usage? Runt packets? Bad NIC flooding the network? Infiltration of Win2k3?
analyzer is a native win32 app that is directly associated with winpcap, the packet capture architecture on which most win32 sniffing-type freeware depends.
Ethereal is the way to go.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Damn straight! All my proprietary code has stolen Open SOurce in it! Hell, I couldn't make it as a programmer otherwise!
I use Ethereal as a basic sniffer, but use others for deeper network analysis. Etthereal is fantastic as a basic sniffer. Few problems with it too. It's just so well written.
I use the Compuware stuff as well. Network Vantage and Application Vantage. Mainly on bigger or troubleshooting jobs..
Network Vantage tends to do the more statistical stuff, and Application Vantage tends to process the intricate information, such as how long it takes a packet to traverse a WAN segment or if packets are arriving out of order, and the extent that this messes up the network..
It's not stuff that you can't do with Ethereal (and a spreadsheet and a few hours) but it does make it a lot easier to do....
Oh... And I just use the standard TCPDUMP on Linux... from the console..
GrpA.
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
"Network's down!!!"
Cloud City Digital: DVD Production at its cheapest/finest
What about driftnet?! Who are YOU to point fingers if you don't even mention driftnet?
;)
User EtherApe on Linux - very cool graphics and allows you to focus on who's loading LAN segments (put it onto the monitor port on your switch). And Ethereal as many have mentioned on both Windows and Linux. I use Ethereal for everything from finding what spyware is trying to do through to trapping inconsistent content from a server farm to working out what ciphers SSL is negotiating through to looking at what DNS replies I'm getting. I'd be lost without it.
Ettercap
Steal This Sig
You are so off teh mark!
Ever heard of Red Hat? They seem to be making money just fine!
Its all about selling services, rather than the software. Software is now a commodity, its the support services that will make companies money.
http://www.snort.org/
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Its my diablo 2 packet sniffer, it lets me find those SOJ's without wasting all my gold.
(hey it used to work)
"am wondering what tools the rest of you network guys and gals out there use in a corporate environment"
you dont fool us mr script kiddie.. were not going to help you here.
i mean come on don't they teach this shit in schools these days?
I use tcpdump on Mac OS X and Linux/Unix, but when I'm at a client site and all I have is my WinXP laptop, Packetyzer is my sniffer of choice. One of my cow-orkers swears by Ethereal, but it's all good.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
I've used tcpdump natively under Windows 2000. Don't laugh, its the only machine I had nearby with administrative access to run a sniffer on at the time.
ettercap is the shit, does regular passive packet sniffing, but it also does man in the middle packet sniffing, nice for switched networks
Ethereal to pick up the packets and look at the fine details. But if you need graphs and treds (packets/sec... bytes/sec) source destination... ntop is great.
Plus you can use ethereal for fibrechannel/iscsi as well as traditional networking protocols (tcpip/eth)..
Compuware Vantage suite of tools have got to be the cadillac of network "sniffing", with the exception that if you can't touch the A or Z points of your data transfers, then stick with the usual packet capture sniffers. Otherwise if you can get away with installing agents on the end servers/systems..try to get your hands on compuware appvantage. Trust me, it ROCKS. It's the END ALL to network problems..no more guilty until proven innocent bs. Generate reports detailing exactly what's going on with the network, and that the problem is not "the network". (which, *ahem*, it always is) http://www.compuware.com/products/vantage/appvanta ge.htm
This combined with netflow exports on the routers, mtrg pulling snmp graphs and generic packet sniffers and you'll be sitting pretty.
Ethereal. Do I hear an echo in this room?
My nose is indispensable OTJ. If a network card stops working, or is flaky I simply pop it out and smell for burned silicon.
I found it works with routers, switches, hubs and servers too.
First of all, as a network administrator of that large a network, you should be able to find your own fucking network utilities. I mean god.. make yourself useful. Anyways, here is my two cents: Etherpeek. Its $$$, but its by far the best packet sniffing software I've ever used. The user interface is very inuitive. Additionally, its one of the most powerful sniffing suites I've used. In short: if you have the money, get Etherpeek.
I always use three tools together when I've got mysterious network problems to debug:
tcpdump
tcptrace
xplot
It's a little old-fashioned, and requires doing a little bit of documentation reading to understand what the tools can do, however, I think it's an unbeatable Free combination.
With tcpdump, you can capture a huge amount of data and the pre- or post-filter it. Once filtered, tcptrace can graph the data for display with xplot. The resulting plots make it trivial to see throughput problems. On more than one occasion it's led me to poorly tuned TCP stack problems such as bad window size parameters, etc.
Funny you mention EtherPeek. I worked for that company (who was in my little hometown) back when they were still Ag Group. Last I heard they became WildPackets!. (Exclamation is part of the name). EtherPeek was some slick software, but yeah cost some $$ if you didnt get a free key from them =)
I'm sure you are going to get plenty of responses like 'Snoop', 'Tcpdump', 'Ethereal', etc. The problem is that those tools are sniffers, and you have to perform quite extensive analysis to figure out what's wrong with network, just from the packet trace. Been there, done that.
...). It does some interesting analysis, if you can get it - get it!
A classic 'Sniffer' from Network General (which is currently 'Network Associates' attempts to perform some rudimentary analysis (which is called 'Expert whatever
If you are interested in pin-pointing the reason why some distributed applicaiton doesn't run well on your network, by all means get OPNET Application Doctor. it is fairly expensive tool, but this is probably the best you can get. Used it and love it.
Well I use my own special homemade Network sniffer, let me explain it, its a BIG Rubber nose on a BIG Stick with cat 5 hanging out the nostrils. It works GREAT Walk into someones office with that and they start rambling about all the programs they are running , have run, could run, and want to run, MOST likley out of fear of what you are going to do with the rubber nose on the stick, or maybe just because they are scared someone actually spent the time and built it.
EtherPEG works by capturing unencrypted TCP packets off your local network, collecting packets into groups based on TCP connection (determined from source IP address, destination IP address, source TCP port and destination TCP port), reassembling those packets into order based on TCP sequence number, and then scanning the resulting data for byte sequences that suggest the presence of JPEG or GIF data.
Or in other words, fire it up, plug in a data projector and watch everyone's porn. Interesting side-effect: It makes (most) people a lot more careful what they browse if they know the results will be displayed for everyone's amusement. Mercifully, it's also a lot less likely these days to see The Goatse flying across the screen.
Do you or your partner snore? - Visit www.snoring.com.au
Small laptop (older one) with onboard NIC and PCMCIA NIC.
:)
Ngrep, dnstop, nmap, tcpdump, iptraf, and we spent $99.00 for a license for nprobe which we use to export traffic patterns as netflow data.
I sometime use ethereal on a somewhat beefier system (dual 2.4 Xeon) to read in tcpdump files to analyze when I need to display something in a way that a PHB can understand.
Of all of these tools I think the nprobe, ngrep, iptraf, and dnstop are the ones I use the most. ngrep lets me grep an ethernet stream ("No, Mr Jones, it isn't sending the correct password to the mail server. No, I'm sure you put it correctly all four times. Yes, I'm sure that windows corrupted it in the registry again").
ethereal, dominmo...
but i dont use them. i was just a lowly tech.
running cables, setting up machines.
-Grump
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
Here's a link.
I haven't used it for a while (College) but it was the most impressive tool I've ever used for Network Sniffing. It's available for pretty much every major platform.
infested with jello like fishes no melotron wishes
well, maybe he's just looking for a better tool, maybe ethereal, tcpdump, and etherpeak don't offer a specific feature he's looking for (although, i have no clue what it might be, looking at UDP packet?)
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
That said I use numerous open source programs including most of the ones already mentioned. They work in a snap if you are used to them. If you really want to delve into the guts of a packet and have it readily able to read (decoded) then you want a tool like EtherPeek. Excellent product. I rarely recommend commercial products when there are open source alternatives. Sniffing tools is one place I make an exception. It's got to work when you need it.
Just make sure that you spark it first onto a tap because if someone accidentally connects the network to a power point - you're a goner...
|>>?
Grab an old beater box, or a laptop, with NT4 on it. Pretty much every install of that came with an option for NetMon, buried in the network services setup. Cost: $0.
help me i've cloned myself and can't remember which one I am
Ethereal has easy to use gui. Good for interactive use, like debugging problems or eavesd^H^H^H^H^H^Hjust browsing.
Snort works well for logging, intrusion detection, virus detection, alerts, and with a little extra work, intrusion prevention. It takes some work to set up, but may be worth it.
I use Cain. Makes stealing passwords on a switched network simple and profitable. You wouldn't belive the secret life your CEO lives!
I would advise you to get a LanScaper from Test-Um Inc. Retail is $419, shopping on Froogle will save you $70 or so. Anyway, the benefit of this device is that it will tell you all sorts of things about your infrastructure that any OS based tool will not. A defective cable, for instance, might work 80% of the time, maybe even more, but will lead to corrupt data (which is messy when you're dealing with some big database or something). This tool will weed out bad cables and links pretty quick. You can also find out length of runs, do pings, and many many other things. Totally worth its' weight in gold. (Which is about what it costs)
Often in Error, Never in Doubt.
Is I think what you mean.
You need to just relax. Tell them you have a security problem and that you need tools to adequately do your job. If they huff you off, just make a note of it (make sure you document your request and their response), and wait until something happens. When it does, be sure to point out that you asked for the resources to prevent the problem and they didn't provide them.
At which point, they will get what they paid for. Your ARSE will be covered, and you both will suffer the consequences of their decision (which is normal in the corporate world).
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
Ethereal is great for non switched networks but if your using a switched network I would recommend you try Ettercap, a small program I found on Sourceforge that works wonders with switches. Slightly buggy but worth a look see
This is not a sig
I built my own and you can't have it : P
plus its very very fun to look at.
ntop is good too.
While kind of a blackhat tool I find it quite useful occasionally in tracking in real time what is going on with the network. It allows you to sniff the entire network including over switches via arp poisining and intercept / reinject packets and generally get a feel for what is going on in the network. ( http://ettercap.sourceforge.net/ ). This combined with ethereal usually do the trick.
yeah, that was definately another editor posting that one.
SmokePing, which uses rrdtool as a backend, is a great tool for graphically displaying ping informaiton.
Netsaint is very good for monitoring systems and networks and letting you know ASAP when there's a problem. It can also use rrdtool to generate graphs of packet loss and ping latency.
All of the above are things that will give you current as well as historic information. Current information is good, but historic information is incredibly important. Trending is the obvious thing, allowing you to predict future use to some extent. More importantly, it lets you examine things that happened recently but aren't currently happening, and to see recurring issues.
Recently, our local Internet cooperative was having problems where one of the upstream connections was going into very high packet loss and dropping it's BGP peer. We keep fairly high resolution traffic statistics through ganglia, another rrdtool based network system. That along with the RRD CGI grapher allowed us to create custom graphs of traffic with very high resolution, for days and weeks past, overlaying multiple sources.
Once we did that, it became obvious that every time we ran into these problems, one of our members was hitting the line somewhat hard. It wasn't hard enough that it pegged the line from a bandwidth standpoint, but it apparently was hard enough that it caused some part of the network to experience extremely high packet loss.
That was definitely a case where having the right tool allowed us to track down a fairly hard to see problem. Because our line was not at all saturated, we spent a lot of time looking for things like bad cables, ports with lots of accumulating errors, etc...
Sean
Capsa works awesome for Winblows.
www.colasoft.com/products/capsa
Corporate environments are generally going to have larger budgets. Facilities which are smaller and have much smaller budgets are going to find ways to get more bang for the buck - perhaps even better products, but also ways to get moderately (or possibly an invalidly selected product) to work in the best manner possible.
I've found that dsniff suits my needs perfectly when I'm diagnosing peoples^H^H^H^H^H^H^Hmy networks
As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets
your answer will be defined based upon how you pose the question.
Obviously, ethereal is your answer. but if you read slashdot you already know that. I wonder if its really a packet sniffer that you need..
we have been having quite a few network problems that can only really be resolved by sniffing packets
like what exactly??? what kind of "network problems" are you having, and why do you think that packet sniffing is your savior???
my guess is you have some sort of DNS issue or the like... there's simply no enough info to diagnose your problem
Here's to finally giving Bush his exit strategy in November
http://ettercap.sf.net
You should check out NTOP. It is an extremely useful tool.
all I see now is blonde, brunette, redhead... ... pesky users
She loves me: 09F911029D74E35BD84156C5635688C0 She loves me not: 09F911029D74E35BD84156C5635688BF
It's more advantage if you can directly sniff on layer 2 network such as snort, tcpdump and connected to monitor-port only on switch, so you can sniff all packets passing through your switch.
If you use linux router also you can sniff realtime tcp/udp/icmp and other protocols with human readable using iptraf.
Another method is sniffing on stealth firewall as bridge mode.
Using the sniffing software is depend on the design of your networks.
-- There is four mistake in this sentences.
cat -vu
Doesn't everyone?
Ethereal doesn't exactly have trouble looking at UDP packets so I don't know what you're getting at.
Karma: It's all a bunch of tree-huggin' hippy crap!
hunt (sniffer, spoofer, ... perhaps more handy in blackhat situations or to sniff ascii services)
tcpdump (simple packet dumper)
netwatch (console tool to monitor connections etc)
ethereal (graphical traffic analyser - pretty easy to use)
snort (IDS, probably better for aimed searching)
These are the programs I have used in the past (and some others like netcat and netgrep, but these probably don't come in handy for what you want to do). Be careful that whatever daemon you run, doesn't get you into trouble - although these are security-programs, they occasionally have security bugs themselves. It would feel stupid to be compromised because of the very program that's supposed to aid in fighting hackers.
Also remember some of these tools can fill up your drives in seconds, if you're not careful. I once had that problem, due to a typo, and it took a few days before I realised. Ofcourse, you miss anything you would want to have logged during that time...
I don't really know any commercial tools. And I don't think I'll ever need one... Unix/Linux systems have lots of net tools, it's probably one of the best represented categories.
Cause its fun!
Red Hat / Fedora packages at Dag's apt repository
I have never used a packet sniffer before. If I want to try Ethereal, where do I install it ? I have a router and couple of boxes in my home network... Can installing on one box monitor all the packets of the other box that aren't being sent to the box on which it is installed ?
does linux offer per-process network traffic accounting? Even on packets just being routed by the kernel, you could break it down by source host and port.
I started out sniffing networks with my own nose, having adapted my left nostril to RJ-45 connectors. But when the data rate exceeds 100mbits/sec., my nose just can't keep up, so I've trained my trusty K-9 compatriot to detect bad packets, attack packets, virus packets, and various and sundry other interesting packets. I plug the network cables into his nose, then listen to his yips, barks, and watch his tail wags, to determine what kind of traffic is on the network. It works well up to 1gbit/sec. I don't know of any organic nose that can keep up with data rates faster than that, though. Perhaps someone with a huge schnozolla could...
I don't work on any networks approaching the 500 size, but I've used Ethereal hundreds of times, primarily on MS systems, and it always helps. Being free is certainly worth points on its own. Also being built into many distros helps too.
I used tcpdump one or two times when it was already present on a system. I don't have anything against it, I am simply much more comfortable with the big E .
Why mess with the rest when you can use the best?
http://www.systemrecycler.com/shomiti
BTW, mine is up for sale.. It rox...
I'm surprised no one mentionned Iris from eEye...
ngrep. it's ethereal/tcpdump/snort built all into one. you can finger print exploits manually and run regex's on normal traffic with the payload converted to ascii/hex chars.
e /ngrep.sourceforge.net
check it out http://freshmeat.net/redir/ngrep/7168/url_homepag
The Fluke NetTool does all that plus stuff like it can hook up inbetween a workstation and a switch and tell you why it's not connected (crossover cable instead of a patch cable, wrong subnet, cut wire, etc.)
$1200, but well worth it.
They have an 802.11x version too.
tbdean
In Soviet Russia, the packets sniff YOU! Also, would like to see a Beowulf cluster of Micro-ATX's sniffing, you insensitive clod!
-- the only good thing the French ever did was two chicks at one time
The thing is, there are tons of network applications that fulfill usefully different roles:
Users range from single computers connected to a congested cable modem, to five-nines uptime network admins who maintain multiple datacenters around the world, so there's a wide range of complexity that different apps need to fill.
Add to that user preferences about specific OS's, licenses, languages, etc. they like to use, and you can spend days searching for just the right network app for your specific need.
I use:
tcpdump, whenever possible.
I grab packets with that, and view them in ethereal.
For debugging application level problems with tcp stuff, sometimes sniffit is more convenient.
Now.. for situations where I don't have a suitable machine in the right place to sniff what I want... and don't want to start re-cabling things... ettercap can be handy, specifically the arp poisoning stuff, so you can sniff traffic off a switched network. Make sure you have clear in your head the ramifications of how it works, though, or you might end up with a bit of a mess.
The best too by far, though, is your own head.. having a really clear idea of what it is you are SUPPOSED to see makes it a lot easier to find out what's wrong.
A comprehensive listing, that has been some years in the making, can be found at Insecure.org.
I found this page, created by the famous and brilliant Fyodor (of nmap fame), to be a truly indispensible resource when I first began to be interested in computer security.
Hope this helps!
-pararox-
Are you THAT fucking stupid? How long have you been a "network administrator"? Which part of Google and basic documentation do you not understand?
I don't mean to flame, but...
Are you THAT fucking stupid? How long have you been a "member of society"? Which part of consulting your peers do you not understand?
Just so that this isn't a total flame:
The fact that the submitter said nothing about Ethereal and the like doesn't mean he's unaware of them; he may just be wondering what other options are available. Or even if he is unaware, maybe he got drafted into the job by a PHB, and he's honestly trying to get more information. Yes, he could use Google, but asking people with experience is undeniably a more direct route to getting answers. Many people will answer such questions willingly. If you don't want to be bothered by them, then for crying out loud, just ignore them. There's no call for insults.
Also try reading this comment, and be enlightened. "He who knows not and knows that he knows not; he is ignorant, teach him."
For the record, I use tcpdump.
Ethereal or tcpdump are great when you know what you're looking for or need to record packets over time. Sometimes I also like to use iptraf (CLI realtime packet summary) or etherape (X based, not as powerful as iptraf but cooler looking). These tools let you see realtime displays of connections which is often useful alongside a packet logger. iftop is another similar tool for realtime CLI display. There are also many protocol specific realtime tools like dnstop or arpwatch that come in very handy.
-Lod
I usually just ssh into the routers and watch the debug output. I feel inclined to spend more time (in the interests of thoroughness) at it lately since my workplace banned gaming. They want me to look busy all the time...
While packet sniffing is very useful dont forget to get SNMP running on everything you can. Not only does it let you see what the network is doing (or not doing as the case may be) but the PHB's love to see pretty graphs. I has a manager who refused to give us a second T saying that we had plenty of bandwith. I showed him the pretty graphs that showed 90% traffic and suddenly he understood. You could almost see the lightbult turn on.
Other tools are so incredibly primitive they can not even detect duplicate acks or tcp retransmissions properly. Other tools are even so broken they can not even decrypt and decode the PAC structure inside Kerberos tickets!
Of course, the more reasonbly priced the better, but I know you usually get what you pay for.
Right, since our FREE (as in beer) Operating System doesn't hold a candle to those other OS's that actually cost money, and stuff, right?
I've seen packet sniffers that cost upwards of $10k on a proprietary box that you couldn't change the ethernet cards out of else it would break the configuration. But a $250 linux box running ettercap (or any of the other tools mentioned here) would have performed just as well, if not better.
You should know better than to equate cost with goodness around these parts, stranger.
GIR: I'm going to sing the Doom song now. Doom doom doom doom doom doom de-doom doom doom doom doom doom doom...
There are tons of networks sniffers that can sniff emails,passwords etc. But Pikachu is different from nornal sniffers.
Unlike normal sniffers, Pikachu sniffs images.Using this software, you have visual indiaction of what is flowing in your network.
It's fun to watch Pikachu sniff tons of images from network.
A nice free tool for easy tracking of users downloading offensive materials.
If you have managed switches (you do have switches in this day and age don't you?) then hit the SNMP stats to grab a large amount of info (collisions, errors, and such), also http://ntop.org has some nice general network stats type stuff with pretty graphs and integration with netflows, and of course the verable ethereal and tcpdump
Actually, you sound like a kid who just got a job at a company who has 500+ employees, and wants to sniff their traffic.
:)
:) tethereal is great too (comes with Ethereal). tcpdump is the grand-daddy of all packet sniffers, so it's kinda handy to know how to use it.
:)
You'll learn and get caught. But who am I to stop you from a life experience.
ethereal is great. It's proven to be lots of fun.
For wireless, I use Wellenreiter and Kismet.
Sitting in a major Las Vegas hotel, only a few floors up from the casino, I turned on my laptop, hoping to find an access point I could get online with (damned hotel didn't provide Internet access). I heard two AP's, and caught a couple IP's going by. I assigned myself an IP which appeared to not be used, and fired up ethereal.
I saw text for several of the casino machines going by. It was the text to be updated to the displays, including windows paths to where the files originated from (I believe). It was all in plain text. I noted down what I saw for a few minutes, shut down the laptop, and proceeded to lose for the rest of the night in the casino. Hey, that's what Vegas is for, right?
After I got home, I dug around for something resembling an admin contact at the casino, and advised him of what I saw. It would have probably been pretty easy to push my own updates to the machines. What would I say though?
"Gambing is an addiction, quit now."
"This game is rigged, move on."
"This is the droid you are looking for."
"With a 97% chance of losing, did you really want to play this game?"
or, I guess
"I'm a spiffy keen elite haxor type person, props to my homeyz" haha
Serious? Seriousness is well above my pay grade.
Fox Terrier. Go Figure.
The best planning can be done after the project completes.
I used Ethereal for a while, sniffing simple HTTP traffic, sorting out cookie issues and so on (I'm not a netadmin -- mostly web app development)... and it was darned handy.
/. headers are entertaining]
Of course, when I found the live http headers plugin for Mozilla it was exactly what I needed -- just the headers, scrolling by realtime, and no more sniffing needed.
Yeah, this is slightly OT (which may be good in a discussion that seems to be a long string of ethereal links, all +5) -- but I wanted to point out to those people out there who think they "need a sniffer" -- unless you're a network admin, you probably don't.
[Plus the Futurama quotes in the
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
I only use ethereal. In true unix style, if you want a proper tool that works you have to write it yourself.
not free, not on linux, but works. cheaper than sniffer too.
Good find. That is an excellent list.
there's another fun product that compliments ethrereal:
nmap. www.insecure.org/nmap/
Even though nmap is not really the sniffer application ethereal is, it can give you very valuable information about what kind of server you are running, run through a host of kiddie breakthrough attempts, and it's always fun just to tell some one after you've found out their IP address, "You are running Windows XP SP 2, here's how I can haxor you...."
please tell me what ^H^H^H means...i've seen it everywhere! but i can't figure it out...
^_^;;;
MEF says Hi!
Mad props to Zippy2
Ethereal is nice, because of its exhaustive list of supported protocols, but it still has many rough edges. Cutting and pasting various pieces of data is difficult, for example. It also is missing some advanced features, some of which are offered by this product:
Distinct Network Monitor
Download from here to avoid annoying forms.
It isn't free, or open source, but on the rare occasion where I want to modify and resend a captured packet, it's what I use.
-Dan
All of the tools discussed so far focus on capturing traffic from a LAN. I agree that a combination of tcpdump/snoop/windump for data collection and Ethereal for analyzation is an excellent and free combination for troubleshooting most Ethernet issues.
However, I often struggle with traffic collection on non-Ethernet networks. I'm interested to know how large service providers capture transit traffic from core routers that may have a combination of layer 2 technologies - SONET, ATM, Ethernet, etc.
We have toyed with Netflow for trending but haven't found a great solution for capturing realtime traffic. Fortunately our Juniper routers allow filters to be applied to core interfaces that can send tcpdumpesque output from the IP headers to a syslog. Collecting the same from a Cisco router isn't so simple.
In my opinion, collecting traffic from the edge of the network is only half the battle - let's hear about tools for traffic collection on PTP core links.
"A clear conscience is usually the sign of a bad memory."
Ntop is the way to go for fast analysis. It has a http daemon built in which presents an overall view of your network's activity. You can then examine in detail with tools others have mentioned. Take care about running ethernet wiring alongside the mains wiring.
Well, I do a lot of P2P filesharing, and what really frightens me is someone using *%$%^&%^&_lib and &^^%$& so they can track the ip addresses of everyone who is participating on the P2P network. They would be able to log all the pron, ebooks, movies, and music sharing that goes on and have times/dates/ip addresses. It's so simple, just one command (&%&%&((%$ piped to the corporate lawyer and we're all fscked.
--- This message has been post-processed and sanitized by network processing tool theft_be_safe to protect the user. ---
I guess I'm oldschool, but I still use tcpdump for most day-to-day things. It's handy, it's fast, and it runs on just about every OS (including Windows (google for windump)). The output is ugly, but once you get used to it, you hardly notice.
:) ), but couldn't/didn't want to install all kinds of GUI tools, etc. This is where tcpdump really shines. You can capture to a binary file and read the file with tcpdump, ethereal, Etherpeek, and many other packages. As long as you can get the file off the machine, you can analyze the data.
:)
When I really need to analyze a stream or set of streams, or I'm going to be staring at packets for more than about 10 minutes, I switch to ethereal. Again, it's free, runs on most OS's (including Windows, again), and the GUI is a little clunky, but quite usable. As several people have mentioned, the capture filter syntax is identical to tcpdump. The display filter syntax is different and I find is a little tricky to get right, so I try to prefilter (or filter with tcpdump beforehand) as much as possible.
One handy feature is the ability to analyze certain types of streams, such as a TCP session (filter out the whole session and see all the data in one window) and SIP (analyze jitter, loss, extract audio session, etc.). It's also open-source, so if it doesn't understand some kind of traffic, you can write your own extension. I haven't had to do this yet, but I know people who have, and it seems easy enough for a compitent programmer.
My employer has a site license for WildPackets Etherpeek (it comes in several versions... I think we have one of the higher-end ones). Frankly, it's prettier than ethereal, but, at least for the debugging I do, provides very little extra functionality. The capture filters are embedded in a GUI which I find makes it hard to see how they're configured.
Etherpeek is pretty and may be easier for novices to use. But I wouldn't waste the money unless it has some quirky feature you just can't live without.
Something to keep in mind: often, the place where you capture packets is not where you'd like to analyze them. For example, I've had situations where I needed to sniff traffic on a remote server -- I had ssh access to the server (and root, of course
There are also handy tools for managing and analyzing tcpdump files, such as tcpslice, which breaks up large dumps by time, date, etc.; there is a tool that "anonomizes" (sp?) packets so that you can analyze streams without violating anyone's privacy (this is largely for academic use, but if, for example, you wanted to do some kind of traffic analysis on your uplink, you could do so without ruffling as many feathers).
Finally, note that tcpdump will sniff on pretty much any interface that supports libpcap. Tools like Etherpeek only talk to certain (ethernet) adapters, for example. Caveat emptor.
Bottom line: pick the right tool for the job
Iris rocks. But costs money.
http://www.eeye.com/html/Products/Iris/
Pikachu is a free JPEG sniffer for windows. It sniffs emails too :)
Please forgive my ignorance, but does sniffing packets still have that much use (for internal traffic) when most networks are switched nowadays?
I guess you could use them to to watch the traffic in and out of a single machine, but how do you use this to diagnose network-wide issues?
I know you usually get what you pay for.
That belief ensures that you almost never will.
My friend recently coded up the BUTT Sniffer, a Bidirectional UDP TCP/IP Traffic Sniffer.
It rules.
I use tcpdump for quick analyses and for capturing data and ethereal for in-depth analysis.
If I want totals and percentages, I feed the pcap files into ntop (a web based network statistics display).
Being all of them libpcap based is a big advantage, you can easily capture data with one and analyse it with any other compatible sniffers.
You could even code your own single purpose program that reads pcap files if you ever need some special information from the pcap dumps (I've done it once, it's relatively easy if you know precisely what you want).
GPG 0x1B479C78
My vote (as many have also stated) is for Ethereal when you know EXACTLY what you're looking for, or you know HOW to look for what is wrong.
e ts eeker.cfm
However, to understand my network like I've never done before, I've recently gotten my hands on Packeteer's PacketSeeker:
http://www.packeteer.com/prod-sol/products/pack
While Ethereal is free, the PacketSeeker is a commercial product.
Hubs are not pure unadulterated evil. They have one use that is unmatched by other ethernet switching devices. That is, seeing every damned packet crossing a given segment. If you want to be able to snoop on *all* the traffic on a segment then you can't rely on a switch because it's keeping you from all the stuff not directed to your host. So if you're feeling snoopy, you want a hub.
Now, in real life where people don't have a need to snoop, switches are a big win. But my home network sure as hell uses a hub. I don't care if it slows down one or two machines, I want to make sure I can see all the traffic there is, whether it's hitting the router or not.
(Actually, my Nortel is a layer 3 (and 4 sorta) switch so it's not really a hub and I can configure any arbitrary port to receive traffic from all the others. So I lied a little. But if I didn't have my studly switch then I'd be using a hub. Because I'm suspicious.)
ssldump: http://www.rtfm.com/ssldump/
Pass it the right key file and it will decrypt the traffic to plaintext on the fly - very useful for tracing SMTP/POP3/IMAP over SSL, etc.
It can also debug the handshake process to help you find those weird SSL errors.
Uses libpcap so the filtering syntax is immediately familiar.
No, I did not read the f***ing article!
I like how this is moderated "interesting"
Unispeed's netlogger is a quite powerful tool, I should know, I used too work at Unispeed as part of the development team ^_- . Its a highly configurable tool and most importantly; it works in real-time.
More infomation on thier homepage.
form the homepage:
Using Unispeed Netlogger for Intrusion Prevention and Recover
The last couple of years have seen a lot of malicious network attacks throughout the World. The effects are often extensive, causing network downtime, financial loss and a lot of extra work.
To reduce the impact of an attack, you can use The Netlogger. This brings you a large number of benefits, including
Not to mention that this is a very useful topic for people who wouldn't know much about it, in order to learn more about it ?
(ie me - I knew about ethereal but none of the others)
And by asking people who know, as opposed to searching for it, people can say which are the best ones, instead of trial and error testing yourself, and it sounds like in this guy's situation he can't afford to test lots of them (as he'd have to buy them to test them and waste money which he doesn't have?)
It's expensive, but it works - at least on the Mac side. Not sure, but it looks like the Windows version grew a brain.
EP on the Mac is very nice, it looks good and lets you think less so you can think better.
Radar like, protocol wise color - relatime view.
I personally think that snort is one of the top 10-20 most usefull tools to come out of the open source movement and recommend it highly. It, in addition, falls into that mantra of using your resources wisely.
Good luck, and consider asking your company to pay for some classes. Having them equip you with some additional knowledge will end up saving them money in the long run.
More information can be found here.
RandomAndInteresting.comdefending the world from stupidity since 1979
Snort can be used to sniff packets on a only-get-what-you-want level. For the admins like myself who do most of their admining from a remote box, Snort can be very useful. With custom rules, you can configure snort to report packets which have relavence, rather then capturing all packets and looking through afterwards. Hope that helps.
Hi there
I have been using these 2 for a while and like them a lot. Ethereal works wonderfully on linux, windows but Capsa is win only. I like the Capsa filtering setup, it's easy to identify who's talking to who and what they're telling each-other. Found it kind of similar to Sniffer Pro, but like Capsa a lot more :-)
I like to be up-to-date...
You look like a million dollars. All green and wrinkled.
If you want a really cool distributed sniffer I'd suggest checking out OmniPeek.
You have to insert TAPs into points on the network, or put ports into mirror mode on switches. There aren't any tricks.
http://ffpf.sourceforge.net/
includes libpcap support, but is more extensible (filter language bindings) and efficient (kernelspace & userspace processing).
btw: I'm one of the developers.
TCPflow provides some very interesting stuff. It should be on your installation CDs; but if not, you can get it from here.
Je fume. Tu fumes. Nous fûmes!
What a stupid thing to say, on Slashdot of all places!
Ethereal is a really nice application. However, it has it's limits.
c harter. htmli ntwk/i to_doc/rmon.htm
RMON (see RFC 3577) or Remote Monitoring is a set of SNMP MIBs which you allow you to gather traffic information (including packet captures) from network elements itself. You do not need to have a computer to run ethereal, snoop or tcpdump.
The switch/router/probe will collect the info for you, automatically.
Virtually all switches support (mini-)RMON. Furthermore you have (full) RMON probes which you can install at various places in the network.
The flexibility of RMON probes is much larger then ethereal. However, I often use ethereal to look at the packet captured using RMON.
Some info:
http://www.ietf.org/html.charters/rmonmib-
http://www.cisco.com/univercd/cc/td/doc/cis
my 2 cents
Rik
http://www.cs.columbia.edu/~hgs/internet/tools.
iftop - ncurses
iptraf - ncurses
tcpflow - reconstruct into file per tcp conn
ettercap - ncurses, kill conn, drill down on connection, ssh 1 attack, etc
ssldump - http://www.rtfm.com/ssldump/
etherape - graphical view of net
ntop - web based network monitoring
ethereal - GUI - based sniffer, gets all protocols.
mtr - monitor hops
trafshow - nice ncurses sorted list of top bandwith hogs
http://www.mirrors.wiretapped.net/security/networ
2 years and no mod points. Join reddit. Because openness is good.
A very impressive tool is Network Intercept from Sandstorm. http://www.sandstorm.com.
It makes most tools look like looking at a raw byte stream.
All the technology in the world won't hide your lack of vision, talent, or understanding.
A favorite security tools survey was conducted at the Nmap-hackers mailling list. Many of the mentioned tools are listed in order of popularity (with links and a short description)
see http://www.insecure.org/tools.html
Paul
snoopy
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I use:
:) regexs and the like all good, i love this tool just for its simplicity
:/
ngrep - nice libpcap using tool, network grep
dsniff is good, some interesting things in there,
driftnet is amazing - shows images as they fly by on the network!
ettercap - for those switched network situations - using arp instead
ethereal - usually i use this for browsing pcap dumps but of course its a powerful sniffer in its own right.
CommView is a very nice packet viewer for windows with a complicated ruleset and lots of colour-coding, stats, etc. Alarms, packet searching, dns and also a neat Remote Agent feature. It'll cost ya, but its fun :)
for normal (short) analyse I use ```tcpdump'', or ``netstat -I $INTERFACE 1''* to see, who's gonna make traffic (and slows down my ssh connection
For long distance analysing and for raliable traffic data is use nitpicker.
Under windows i would use etherape to analyse packets... it uses pcap under windows, same as tcpdump, and so its okay :)
Greetings
Mirko
* your `uname -s' should look like this:
We mainly use Cisco Netflow Data Export to detect and analyze network anomalities. If your router doesn't support netflow export, you might be able to hook a PC to switch at a monitor port and use some tool like fprobe or nProbe to generate flow data.
A short-term archive of flow data is extremely useful for handling all kinds of abuse complaints (did you know that a significant portion is forged?) and detecting worms, outgoing DoS attacks etc. on your own network.
We have quite the same jobs, :)
Im working in a manufacturing Company with about 250+ Clients
Both tools are well documented, Ethereal can be run from Win32 or Linux, while tcpdump is afaik a Linux-only tool. The Win-Version is pretty good (you wont find a difference to the Linuxversion except for using another library(WinPcap) due to the nature of the different operating system)
Hf
nothing personal, just business.
dowload the ISO from here it's got most of the tools mentioned here and you don't even need to install it onto your hard disk. It runs a full Linux system from CD.
Oh yes you do :-/
charlie harvey's website
Yep I use it (on W32) it's free and it's good. However what could be useful is what kind of problems require network sniffing? If it's bespoke applications failing then Ethereal is your baby. If you are having poor response on bits of the network maybe you should be looking at SNMP feeds/or the port counters on the switches. Finally if you think it's due to faulty cabling/network cards then you may need the expert analysis of Sniffer/Observer or the diagnostics of your switch ports to find it. Balders
I have a cunning plan...
Surveyor with the THG is quite impressive. Not as many decodes as ethereal, but line rate gig is nice.
apparently you all dont know the difference between Ethernet and Fthernet
1) Your analysis is based on bad assumptions so your result is way off. 2) You're a sick bastard for fucking a horse.
Usually 'snoop' on a per-box basis or if I'm looking for specific packet. (Free with Solaris)
Or ethereal (The windows build works ok too)
Or 'iris' if booted into windows, from http://www.eeye.com. Not the cheapest, but it works well.
cheers
Super Awesome Broadband
iptraf givesyou realtime networks traffic information, it is light, easy and informative enough ti figure out what goes on on your network. for more eye candy stuff etherape is also a good tool.
Some like it with bugs..... I don't!
It is obvious that most of the posters come form a software background. First place I'd start is with good hardware. If you have good managed switches, their management software will tell you a lot about the traffic going over the network.
When errors start to occur, the extra investment in managed switches really comes into it's own. Understanding the design of a managed network also allows you to get over problems of sniffing remote segments.
Not only is he great for sniffing out packets, but he can herd them where I want them. Not to mention he also handles Jehova's Witnesses spam to /dev/null everytime they ping the front door.
~~ Behold the flying cow with a rail gun! ~~
A lot of the replies to your inquiry mention *nix only tools (Etherape, etc.). If you're stuck with a Win32 PC, a good option for quickly putting many of these tools at your disposal is to run Knoppix-STD. You will need to temporarily leave the Windows environment, but you should feel quite at home within the Knoppix STD (KDE) interface.
I won't list any other tools I use, as they've all been mentioned lots of times, but I will add to the list tethereal, which is the command-line version of ethereal.
;-)
Two very important general notes about analyzing the network, though. First you should know at least somewhat what your network looks like under normal circumstances. I can't tell you how many times I've beeen at a new organization looking at the network for strangeness and seen a long list of errors that some net admin saw and said "yeah, that's a misconfigured m$ box, haven't fixed it yet...yeah, that's a broken printer...yeah...". It helps if you know this stuff ahead of time.
Second, switching's a pain when it comes to network sniffing. The best tool in the world can't help you if the packet never gets to you. Make sure you know the layout of the network in question very well before you try looking for problems, and make sure you're either tapping as necessary or in the right spot to monitor. There are a number of tools that can just jump on a random switched port and sniff, but they often use dicey methods for dealing with the switch (arp poisoning, flooding, etc.) that you don't necessarily want to mess with if you're already having network issues. And if you're not, arp-flooding a switch or poisoning one of your production servers is a great way to cause some!
I'll end with the obligatory war-story in response to a post I read that said (paraphrasing) "What would you need this kind of analysis for?" I had to troubleshoot a weird network problem that seemed to be network-wide (in this case, 3 buildings, total of about 30 switches; not too large). Symptoms were that a host would fail to start talking to another host about 1/2 the time, but once it did start, it was fine (for a while). Turns out that there was a busted switche that was bit-flipping and mangling the MAC address in the response. Thing was, we were using HP's with meshing turned on (I hate this feature; much prefer good old spanning-tee and, if you need, trunking) which black-box combines multiple uplinks between switches so you *NEVER* know what path a piece of data is taking. Hence, the only erroring out about 1/2 the time and working once it did go through (arp cache), and hence us having a real hard time figuring out which was the broken switch.
Ethereal was my friend that day. Had to run it in multiple spots though to see the arp change.
my dog Spot.
I know it's been said, but let me reiterate. Ethereal rocks. I am a web app developer. I used it to trace an HTTP stream. It is great for isolating traffic and seeing the raw data. By using ethereal I proved that IE was corrupting it's HTML. I could see the valid HTML in the HTTP stream.
"No matter where you go, there you are." -- Buckaroo Banzai
Ninnle Linux comes bundled with the best network sniffers you could imagine!
Sorry for the shameless plug but I find ipaudit and ipstrings useful. Available from sourceforge.
ipaudit similar to netflow, it summarizes network traffic byte count for every host pair, protocol, and port pair.ipstrings reads string data off the wire similar to unix utility strings. It's included in the ipaudit package.
I've used EtherPeak:
http://www.wildpackets.com/
Runs on MAC's too! Very good interface. The one feature this has over most all others is that you can capture AND look at traces at the same time. Most (Ethreal included) require you to capture a "snapshot" then to "post-analysis". The only down side is their "driver" depends upon the underlying OS and on MAC OS 9, the timestamps were a not that accurate.
One that was more accurate was LANdecoder32 from Triticom:
http://www.triticom.com/
They have special drivers so if you get a NIC that they support, this driver will really get down into the card and can do very accurate timestamps.
I've used Sniffer in the past (10+ years ago) so I don't know how they've changed since. Back then, they did most of their protocol processing ON their custom cards, so they were very accurate.
I've also used the HP LAN Analyzers. Very accurate, but as with all things HP (now Agilent), the absolutely WORST interface on planet Earth!
Disclamer: My brother is a senior manager at ipswitch
We use What's Up Gold in my job to analyse and diagnose the network. It diagnosed a looping issue that was taking down the network that our network admins said was not happening. They had a router incorrectly configured. It is a very good tool to cover all of the network monitering/auditing tasks.
In God we trust, all others require data.
Ntop is good to get the general picture of what is going on on your network, can run a webservice with graphics and stuff, that kind of things always keeps your CEO happy - uhh he makes charts and graphics, must be important :-)
;-)
Snort is my favourite utility over tcpdump, I think it is easier to use, and also, it can be used for IDS - there are plenty of rules on www.snort.org and www.whitehats.com.
Both snort and ntop are free, so I guess they are not very usefull to you
On a Win32 platform nothing beats Solar Winds for the probing & inspecting of your entire network.
I am also quite fond of Iris for packet sniffing.
(There are "bigger & better" packet sniffers around {including one in Solar Winds} but IMHO it just a nice tight solid program.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
You will need to designate a promiscuous port on a managed switch. This will set up a full frame repeat from all ports on the switch to your monitoring host. This will allow you to see all frames instead of just the unicast designated for you and or the broadcast frames.
When you are setting up your monitoring schema, you also need to look at any VLANs you may have set up to see what actual traffic you need to sniff and from where it is originating.
Most enterprise level networks are using managed switch fabric. If not, please give me their contact information so that I may smack them.
if you on your using windows use either Ethereal or Networkactiv (http://www.networkactiv.com) also for sniffing HTTP packets this is a handy tool http://www.pocketsoap.com/tcptrace/pt.aspx
ettercap owns all k
Today "Tom in Marketing" can set up a wireless access point in about 5 minutes, potentially leaving a door open to the rest of the network.
..
To check if there are any wireless networks around, you might have to wardrive the premises. An laptop, a WiFi card and network stumbler is all you need for a quick scan of the surroundings. Depending on the layout of the company, a GPS can be added to pinpoint a rouge accesspoint easier. Not strictly necesary though. Just take a walk around the building and you will see what pops up, some of it might be part of your wired network, bridged to wireless and left open to the world.
Sniffing traffic on an unauthorized part of the network is not dificult, snort or similar can do the trick. Fysically removing the AP is easier though... "Tom" will report to your office to get his router/bridge back
Comment removed based on user account deletion
"EtherPEG is a free program for the Macintosh that shows you all the JPEGs (and GIFs) going by on your network."
(Karma = auto -1)
http://www.objectplanet.com/Probe/
There is a company called Q1Labs that has a network anomaly monitoring tool. We use their software to keep track of general health of our networks and to pick out anomalies (worm attacks, DoS etc). Not free but really good at what it does. Highly recommended.
I like Ethereal as it's highly comparable to Etherpeek without the cost...plus it runs on Linux.
I don't think anyone's mentioned it, but LanSleuth is a product with some nice features that Ethereal doesn't have - like "sniff in the morning from 2 - 4 AM" and a cool graphical logic tree for building those filters. Windows only, though. They have a version that supports TokenRing, too.
www.lansleuth.com
(Obj disclaimer - I used to work for the LanSleuth people. I use Ethereal at my current job because I can customize it to support our bizarro protocols and, despite being a multi-billion dollar company, they're damn cheap. I'd use LanSleuth if I could.)
As an alternative to the flood of Ethereal posts, I'd recommend that the OP also take a look at CommView.
I gave it a try after having been completely unsuccessful in getting a Windoze binary of Ethereal to run on my home PC. Crashes, lockups, the usual Windows issues. Probably a combination of the dreaded DLL-hell and the particular embedded Ethernet chip on that motherboard.
But I wanted to watch outgoing packets (suspected a spyware app was running), looked around for an alternative, and gave CommView a try. Worked the first time, no crashes, nice interface, yada yada yada.
There are "personal" and "enterprise" editions (priced accordingly) as well as an evaluation download.
It's not Free Software (not even free-as-in-speach) and it runs on Windows, so I'm sure it's responsible for the fires in Canneto di Caronia in Sicily among other abominations -- but if you need this kind of tool in a Windows environment, check it out.
Trusted by cats.
I use either tcpdump - or I hack up a custom tool starting with the source to EtherPeg:
http://www.etherpeg.org/
(Shows you how to grab packets promiscuously. And you can learn an awful lot from reading and working with this code.)
Yes, it is Mac only.
-s
Some network problems can be easily identified with any of the usually available tools (ethereal, tcpdump, etherpeek, even the tool built into Win2k server [limited to packets to/from it]), but which tools actually do some kind layer 7 analysis, and not just decodes, on the transactions for you?
Unless you're very well-versed in a specific protocol relative to what you're doing, I've often found that full protocol decodes don't really help all that much because I'm not enough of an expert in the underlying protocol to know what's wrong.
It'd be great to have something say "packet NNN response field FOO bad data" or something to understand what was really wrong or missing.
Ethereal is great and all, but as far as Wireless goes it just doesn't cut it for me. Considering I use wireless almost exclusively for internet access, it's nice to have tools like Kismet, which displays information for all wireless networks in an area. Very handy tool for wireless administration and monitoring.
You youngin's don't know how good you got it. Why, back in my day we didn't have no fancy, schmancy network sniffers. We just power cycled the boxes until they started working right (or until quitting time, whichever came first).
*mumbles* gotta teach these whipper snappers a thing or two - next they'll need some lessons in percussive maintenance
I'm a netadmin on a campus with about 5000 users. Being that Linux seems to be the way to go for network analysis tools, we've tested a variety of packages, including ethereal. However, so far as customization goes, I've found snort to be one of the best. With it, we can configure custom rules to sniff out just about any p2p client, trojan pattern, or any other network traffic inhibiter. Ethereal is good stuff, but for a monitoring station, snort got our vote.
Romans 8:1 "For there is now no condemnation for those who are in Jesus Christ."
on my iBook I use Macstumbler (an easier to use Kismet) and Macsniffer. I like em allot, and they're both free and GPL.
CB
free ipod and free gmail!
didn't see any mention of tcpflow...has anyone (except me) ever used it? On several occasions it has helped me figure out the real cause of the problem. When all i could see on the client machine was a cryptic error message, i would fire up tcpflow and analyze the real data being pushed around. Ofcourse if the data is encrypted....tough luck!!! Nevertheless is has saved my ass several times.
Disclaimer: IANANA (I am not a network admin)
Regardless of the tool used, I have to run it/use it on a router that's processing the problem packets. It would take more than 5 minutes to get to all of the appropriate routers with a physical device. Once I have it on that router, either fluke or ethereal should find the problem immediately, if I know what port I'm looking for data on.
So how is it better? Can you explain to me how you use it that would make it easier than "ssh -X"ing to the box and running ethereal?
When I know what I'm looking for I love Snort. It's easy to whip up some custom rules and filter down traffic to show you exactly what you're looking for - either with snort's own rules or tcpdump's standard bpf filters.
If you take the time to learn how to use tcpdump, it's the most powerful - but I usually only need its power for research more than administration.
Ethereal is very useful; moreover, it's free. I used it to troubleshoot router problem with Cisco TAC. They are able to see my capture.
http://www.isolvesystems.com - Technology Marketplace
Check out the tools page on www.insecure.org. There is a shopping list of security tools, both free and pay. Some really great stuff, including ethereal.
What is it that makes you think it is so incredible within this genre of applications? Do you sing its praises only because it is the obligatory OSS choice for protocol analysis?
I'm not disparaging it as a usefull tool under some circumstances, but the best? Not by a longshot.
Most of you (yes, you) have no idea of what Sniffer Pro, Etherpeek, or the (incredible) power of certain combinations of Fluke hardware and software can do.
Open your mind. (and your checkbook)
I have tried many different sniffers.
Ethereal I could never get to function correctly.
(Disregard the 13 root exploits in the software)
SNORT is decent, though I don't think it would suit your needs.
One I have found to be decent though very limited is WPE-Pro. Give it a shake.
Or your other option, write one.
I am Bennett Haselton! I am Bennett Haselton!
recently, on my home network, i came across a severe lag problem. one of the computers ran bitTorrent (windows 2000). the app in charge was killed. traffic continued.
:(
I logged into my router, fired up iptraf and found 688x traffic from that machine (tracked it down by MAC), found ou 'doze wasn't so smart about killing child processes and the transfers were still running even though the program was supposidly DEAD.
if i have to do that again...
as far as clueless 'sysadmins' go. i work for one who doesn't know how to id a switch from a hub from a router AND somehow thinks you can ghost an 8GB disk image to 10 boxes at a time over a 10MB full duplex link and it'll be quick
you canna' do that, man!
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
I have been very happy with Commview, its an extremely easy to use network sniffer. You can get a free demo which lets you analyze 50% of incoming packets from www.tamos.com... Actually u can see 100% of the packets, just not the raw hex data for half of them. this doenst matter thou since the program displays a user-readable summary for each packet in another window and this is not limited at all.
In one xterm:
In the second one:
In the third one:
I actually had that in my .xsession for a while (with varying values for the -n argument of strings) but after seeing all my flatmates' IMAP and POP3 passwords, AIM and IRC conversations, Webmail HTTP traffic, etc, my morals made me stop using it. It's pretty cool though, and you get a very good idea of what is going on on your network.
...thread on slashdot I've ever read.
I finally got to the bottom and had a list of about 10-20 programs and around 20-30 tabs (I love fire{bird|fox}) queued up for bookmarking in my network utilities folder.
To all that took the time to post on the thread, thank you. It isn't often that one comes across a gold mine like this that yields so much good information in regards to tools and methods to becoming a better admin or power user. Maybe in a few more years I won't feel like a pretender using the root login.
-3phase
----------
you can't spell gEEk without an EE (yah, I copied that from someone)
What SysAdmin worth his/her salt hasn't heard of and used Ethereal, or can't use GOOGLE to find something similar? Man, I must be getting bitter and cynical in my old age. Or maybe I just don't like idiots. I should start posting as an AC.
No wonder companies are outsourcing techs.
It has compiled on every system I've wanted to use it on, and is a quick way to get a good look at who's connected and what they're up to.
Check it out here.
Snort as a recommendation is a rather good pun but, as a network sniffer (packet capture/protocol analyzer) Snort is not the answer.
Snort is an Intrusion Detection System(IDS) that monitors network traffic and performs an action when it sees a matching pattern. That action could be a log entry or it might be configured to save the packet to a file. Other actions are possible using external programs. Snort uses libpcap of TCPDump fame to monitor or capture the network traffic. Snort is useless for displaying or analyzing network traffic but, this is not a function that it was designed for.
Ethereal is a graphical protocol analyzer although it does include a command line version as well called Tethereal. Ethereal also relies on libpcap for actually capturing the network packets but, it goes much further than simply capturing network packets. Ethereal displays a break down of the packets themselves separating categorizing and displaying the various fields and data in a packet. It goes further by also decoding a long list of higher level protocols that may be included in the packet.
Ethereal is also capable of reading and decoding network traffic that has been captured and saved in other formats. Ethereal can read and save packet capture files in MS Network Monitor, NAI Sniffer Pro, and many other formats. Ethereal is increasingly recommended by companies such as Novell who actually has had their own protocol analyzer for years called Lanalyzer. Cisco support engineers are also increasingly recommending the use of Ethereal for capture and analysis of network traffic when troubleshooting potential problems with their equipment.
TCPDump has also been recommended by many people here on Slashdot.. TCPDump is a command line based protocol analyzer. It also relies on libpcap for actual packet capture but, it then displays a break down of the actual packets. Its display is not as attractive or as configurable as the graphical Ethereal and it is more limited in the number of protocols that it can interpret and disassemble but, it is still a very powerful and capable program. Further more, its output can be saved for further examination by ethereal.
There is a free packet scan nlm file that you can run on Novell NetWare. The file dumps can be read with Ethereal.
Guidelines to Take a Packet Trace
Packetscan - NetWare packet capture tool
How to use Ethereal to capture a packet trace.
How to configure a capture filter for Ethereal
Doesn't the increasing deployment of switched routers make some of these tools useless unless you are logged into one end-node of the communication ?
For freeware, you can't beat ethereal. I use it several times a week.
If you have a serious budget, check out OpNet, which can do fun things like response time breakdowns, or "how well will this app run if the client is across the country instead of next to the server," or "what happens if I have another 300 clients like this one submitting requests @ 5/minute with a poisson distribution", or "If I make the following configuration change to router X, then router Y fails, and we have a network backup running, how much interruption in the transaction will occur."
I am a windows user, I dont know hot to forece linux to network well, I am actually testing coLinux for the fun factor, but Is dificult under my network-complex enviroment, so I use Ethereal has The Tool to "debug" If packets cross from coLinux to TAP to windows, or dead at colinux.localhost, or whatever... Also looks like Ethereal can be a cool tool to debug game network protocol. I am a engine coder myself (Telejano: a GPL Quake engine) so this tool can be fantastic!
-Woof woof woof!
Well, I am afraid the company I bought this from went under (Premier Advance Products) but a year or two ago, I purchased a slick little machine that's just a bit bigger than an external modem (about 5" x 3" x 2") and it's got a Pentium class CPU, 128MB, a 6GB 2.5" HD, ethernet, PCMCIA etc. It fits in the accessory area of my laptop case so it's with me all the time. I installed RedHat on this using a PXE server (comes with the RH distro) and I use this constantly for sniffing and network baselining. On this box, I have ntop, tcpdump, ethereal (and tethereal), sniffit, etherape an any other open sniffer I could find. I simply put it out in an area I want to sniff and leave it for as long as it takes to find the issue. Then, I can come back to my desk and SSH into the machine whenever I need to look at traffic on that segment. I've used this machine for diagnosing email issues in the DMZ, for analyzing traffic stats on segments that were running slow and even for impressing the bosses with the pretty graphs from ntop. It's worked great for me. I would highly recommend something like this for people looking for a highly portable sniffer.
with the proliferation of wifi, I am surprised no one has mentioned kismet yet. It allows for live capture of 802.11a/b/g traffic which can then be analyzed by ethereal. Also passively watches the network for programs like netstumbler and alerts you to their presence.
dowski
Windows: Etherreal cuz it's free LanHound cuz it can rebuild a conversation making things MUCH easier to read/understand Wireless: AirSnort free Irix $? Linux: Etherreal
Ironically, computer programs are the one area in life where free things are often better than expensive alternatives.
.NET platform, rather than the clunky, kludgy PHP solutions of old.
I respectfully disagree. I would replace "often" with "rarely."
Best server OS? BSD. Best Web server? Apache.
Best graphics editing suite? Adobe Photoshop. Best office suite? Microsoft Office. Best database backend? Tough call, but none of the front runners are (capital-F) Free.
And I would respectfully submit that even your assertion that Apache is the "best web server" is weakening by the day, as more and more business rely on interactive web presences, and turn to the easily-developed-and-deployed
Sure, if I just want to put up some static pages, Apache is the best. However, the web is evolving faster than Apache, and virtually everyone wants MORE than that now.
Like woodworking? Build your own picture frames.
the actual name is NetIntercept. see http://www.netintercept.com/. Now available in 2u or 4u rackmount units, featuring silent packet capture, stream reassembly, reconstruction of transferred files and web pages, intuitive UI, and scripting capabilities.
Session reconstruction, filtering, blah blah. Yes, Ethereal and Tethereal rock but I've had no end of fun seeing what people are up to on networks using IRIS. It's not cheap but it used to be and I've got an older version from WAAAY back that still works well. WIN32 based.h tml
http://eeye.com/html/Products/Iris/index.
Build it, Drive it, Improve it! Hybridz.org
Ethereal is nice, but what do you do when your network is switched, and you dont have instant access to the closets.. ( you can get in them, but you have to track down the building people to get you in.. )
It gets old just looking at your own packets..
---- Booth was a patriot ----
> Of course, the more reasonbly priced the better,
> but I know you usually get what you pay for."
No, you don't. If that were the case, we wouldn't need RMA, and returning software that doesn't do what it's supposed to would be easier. Go download ethereal, and then visit here to make a contribution if you want to get rid of some ching. http://www.fsf.org/
boycott slashdot February 10th - 17th check out: altSlashdot.org
How do these two packages compare?
You can never go home again... but I guess you can shop there.
I've spent some of the last few years on network monitoring, primarily for web-focused stuff. This used to be for outward-facing websites, but in the last year a lot of the big corporate apps have migrated their front-ends to HTTP. There are a few shifts that make traditional sniffing less and less useful:
Confidentiality. Most important apps are encrypted, usually with HTTPS, making them hard to diagnose at least for the database-intensive stuff that causes delays. This means you need to decrypt traffic (preferably with a copy of the server's private key) which in turn requires good key management (maybe FIPS) and decent control of data once it leaves the box. For example, you may want to delete any values after the POST parameter "password" before you persist the analysis to disk.
Port 80 convergence: The old analysis of traffic by port you get from a layer 4 sniffer is useful, but when all your traffic sits on one port it's hard to get useful results. You need to get down to a specific domain ("all traffic to example.com"), a specific object type ("all .jsp requests"), a specific page ("index.html") and even a specific parameter ("searches by zipcode").
Volume of traffic means that near-real-time analysis is important, or the buffers have gone by and the fire's somewhere else.
A couple of years ago, this "real user monitoring" stuff got largely ignored in the IT world. Today I get a lot more people who want to look at availability and performance by measuring users (no load, no scripts, more accurate) rather than synth testing.
Anyway, (disclaimer: I do tech strategy for a company that makes stuff in this area) there are a lot of software tools that reassemble the HTTP if it's what you're interested in. Some do it in real time; some mine the data after the fact. Some do it with performance information; others let you replay things. The shortlist of companies I usually pay attention to is:
Coradiant (where I work)
Adlex
Tealeaf
Network Physics
Peakstone
NetQOS
Niksun
NetLogger
Quest Spotlight
Mercury Interactive Real User Analyzer
ClickCadence
I'm curious: how much demand is there for web-specific sniffing (gaining application context at the expense of port breadth and non-http analysis)? Is it after-the-fact troubleshooting, or before-the-fact service level reporting?
Alistair.
Compromise is the opposite of creativity.
as far as open source is concerned, where you are managing multiple segments and to identify bottleneck and throughput, you should look into www.ntop.org. we use this in two of our data center off of our MDF. although we can't do straight packet analysis, but at least we could analyze the header information and others to isolate problems. ntop could also be used to identify security problems, related to p2p type also. check it out!
i know one thing, i know nothing...
eh!? Do you prefer buggy MS? BTW, there are something best than BIND, Exim,JBoss, Tomcat, (Perl,Python,Ruby), ABIword, etc? ... these front runners are open source and almost capital-F
---- Where is my mind?
Now that's funny. That hand sign is one that was used in my unit when I was in the military, it translated to "Just another fuck story". The contect would be:
Friend: "Where are you going"
Me: Flashinging the sign, "Top wants to see me"
Friend: "Ahhh, sorry to hear that"
What's funny to me, is that if that's the SysAdmin secret handshake, then it's meaning hasn't changed in 20 years.
Buy one linux server, and then discover the wonders that are ping and SNMP. Simple tools such as Nagios and MRTG (or NRG or Cricket) can do wonders for helping spot problem switches/routers and congestion spots.
For example, every device we have is pinged 3 times every minute, and queried for bandwidth usage every 5 minutes. This has helped in finding bottlenecks, and the occasional switch that reboots every few minutes. (MRTG alone convinced the higher ups to buy new gear for our Datacenter and give it a dedicated link to the Core).
Also, setting up a wonderful SNMP trap server can be very useful. It allowed us to find a switch that likes to reboot at random intervals (the switch is 5 years old and being replaced this weekend). Of course, having it send a trap whenever a switch reboots is just the start of what certain switches/routers can do.
Also the use of Snort to sniff traffic that can be potentially malicious can be very helpful in tuning firewalls and finding those script kiddies. (use ACID for a pretty front end)
Another nice tool is NTOP Does almost everything NetFlow does and has a pretty graphical frontend built in. (I recently used this to find out that one of our firewalls was sending gigs of syslog data to the wrong server.)
And with the mention of syslog, might as well throw out a link for syslog-ng. yet another useful tool.
Basically the point of this is to say that sometimes it's best to let your equipment do that talking. They'll usually tell you what's wrong, just as long as you've set them up to do so. I found that once we put a lot of these tools into full production, we were able to cut down on our need to sniff the line whenever problems came up. This isn't to say that Ethereal isn't needed. That's hardly the case. Its use is still huge and shown all the time.
Person who said snort isn't good as a sniffer is thinking too linearly. The way to use snort as a sniffer is to have it log the traffic to a file, continuously, in round-robin fashion. That way you have the traffic recorded but you also have it analyzed for intrusions. When you want to go back and look at the traffic with a sniffer, you just open the files with the sniffer. Since the data is stored in libpcap format, nearly every other package out there can read it.
If you use managed switches, they make great network monitors. Most vendors include software to view the switch performance data.
Amen, brotha!
I just learned about a secret gang sign for vi that doubles as an advanced sexual pleasuring manuver!
"News for Nerds. Stuff that matters!"
w00t!
"Creativity is allowing ones self to make mistakes. Art is knowing which ones to keep" - Scott Adams
To Slashdot, that is.
;)
Your subject should have been IANANA.
I've been playing with Etherwatch. Not bad - free version has same features as Etherpeg, and $29 for additional features. www.etherwatch.com
It is especially handy when people were complaining about slow access on the network. I did a sniff and found about 33% of all network traffic was from printers broadcasting Appletalk packets and another 10% or so was DLC and IPX/SPX. Since the MAC address was detected I simply located the IP and put each IP into my browser and went in to the web based admin utility and killed everything but TCP/IP. The users were amazed how much of an improvement it made. For an encore, I went into the Macintosh only area and converted each user from Appletalk printing to LPR/LPD printing (OS 8.6 - 9.0) and again killed it on all the printers. I explained that each printer had the IP labeled on the front, so they shouldn't dig in the chooser, but use the IP instead. There was no point however completely killing Appletalk since the whole network was basically peer to peer and everyone had set up shares on all their systems with passwords and it wouldn't have been worth it trying to reinvent the wheel. Appletalk is the devil spawn!
A user manufacturing facility? What, do you work for SCO?
About umpteen years ago, the customer services division of the company that I worked for was instructed that they MUST purchase a Network General Sniffer device.
....
Network General later merged with McAfee Associates to become Network Associates, by the way.
Anyway, this Sniffer device was just a Compaq luggable thing (not a laptop, a luggable), with a special NIC with a BNC sticking out of it. That NIC was supposed not to drop any packets no matter how much traffic is on the LAN. The software that came with was DOS based, and did all sorts of nifty things with protocol analysis and stuff.
How much did that baby cost? 30,000$ US Dollars. Yes! That much.
Later, Network General started selling a PCMCIA card with software to do the same on any laptop for much less money. And yet later they sold only the software and recommended NICs.
Talk about milking the cow to the last drop!
Last year, I was experimenting with a Knoppix CD, and then ran into Ethereal, and then I immediately remembered the 30,000$ paid for that sucker, and said Oh My God
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
that's what the VI sign *really* is. ;-)
Nobody is going to mention sniffit?
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
The last company I dealt with had a problem: Out of 14 Husky injection molding machines, only 3 HMIs were connecting and staying connected, while the rest dropped off the network like flies in a matter of days. No previous networking knowledge.... IBM Redbook on TCP/IP protocol + Ethereal sitting on the main hub = Crash course in network topology considerations and server behaviour modification through the OEM...Complete success! Ethereal was easy to use, but powerful and no distracting eye-candy...Start with it, and stay with it.
Hell, not even Google knows that...
Be careful! Bears shouldn't consume large furry dogs.
The best choice for sniffing in a network with lots of traffic (you said 500 users) is to use netflow from your routers and/or switches.
Packet-level sniffers, such as Ethereal, are only usefull at the desktop level. When you go to the backbone or trunks you need some level of aggregation. Netflow is just fine. Too much data is just as useless as no data at all.
There are netflow sniffer which even give you some added value such as statistics.
Used it for quite a while, works fine.
"When I look back, my life is not a foreign country, it's more like a library book returned long ago." - ????