Slashdot Mirror
What Network Sniffing Tools Do You Use?
network-nose asks: "I work as a Network Administrator in a 500 user manufacturing facility in southeastern Wisconsin. My job is to keep the company running as close to 100% of the time as possible while trying not to spend any money on up to date hardware and software. As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets. I am wondering what tools the rest of you network guys and gals out there use in a corporate environment for analyzing packets. Of course, the more reasonbly priced the better, but I know you usually get what you pay for."
As of late, we have been having quite a few network problems that can only really be resolved by sniffing packets.
What kind of problems are you talking about? On ethernet level? On IP level? On application level?
They all have different approaches, and all have different tools.
bash$
Hmmmmmmm... Let's see machester encoded you'll need at least five or six samples per bit just to see it. One packet == 56 bits preamble plus the start frame delimiter plus what 1500 bytes payload plus four bytes crc we're talking a good 100K samples or so at 60MHz. Sure - no problem! Just get ready for some serious sec/div spinning. :)
It can come in handy when you're trying to track down a problem with a piece of closed-source software, and the developers are no help. Or a piece of open-source software that is bugging out with certain input from certain IPs.
Sometimes it's not practical to hack sniffing in to the application, when you can just do 'tcpdump -Xns 16384' any time.
the guy mentions that he works for a manufacturing plant. Who knows what CNC mills a EFDs pass accross the network. He's probably debugging the controller software for various equipment that they have.
Keeping
They're both free too. I'm honestly a little surprised that a network admin (as the author claims to be) would post this question.
Although I've never used ethereal on windows, it works great on linux. And you can even use tethereal in your scripts since it's the command line based version of ethereal.
I, too, prefer Sniffer Pro to everything else I've tried. We use many of their hardware appliances at the office (have at least one in every remote site), plus everyone in the department runs the portable software on their laptops. It is indispensible, but don't even start to think that you can just believe everything the 'expert' tells you. Unless you spend hours training it as to what constitutes a broadcast storm on your network, and what is excessive for this and that (the defaults are useless on any enterprise network), it will only start to give you the picture. It is better than not having an expert (at a glance diagnostics of your traffic), but you still have to dig through the individual packets except for the most simple problems. They also have had quite a few bugs over the years, especially with the hardware appliances (distributed), but overall I am happy with them. Better than Finisar and ethereal (for me).
Of course, the more reasonbly priced the better, but I know you usually get what you pay for.
Right, since our FREE (as in beer) Operating System doesn't hold a candle to those other OS's that actually cost money, and stuff, right?
I've seen packet sniffers that cost upwards of $10k on a proprietary box that you couldn't change the ethernet cards out of else it would break the configuration. But a $250 linux box running ettercap (or any of the other tools mentioned here) would have performed just as well, if not better.
You should know better than to equate cost with goodness around these parts, stranger.
GIR: I'm going to sing the Doom song now. Doom doom doom doom doom doom de-doom doom doom doom doom doom doom...
I'm honestly a little surprised that a network admin (as the author claims to be) would post this question.
I'm not. It's not like you need to know the secret handshake before you can become a network administrator. In a lot of places, it just means you're the guy who knows the most about it.
Be wary of any facts that confirm your opinion.
You wouldn't want to do this to a link with any substantial traffic.
:) Ok, it may not be entirely possible. (I'll leave it to someone with a higher Cisco cert than me to sort out the rest of that one)
:) I just have a bit of a problem monitoring our GigE uplinks. Not too many PC's or laptops can sniff 500+Mb/s, and most dont come with GigE fiber ports. :)
I guess I just see things in terms of the networks I work with a lot. Throwing 80+Mb/s through a hub may not be the wisest choice.
My prefered way to do it is just have a port monitor another. But we use Cisco extensively, so it's really easy for us.
Serious? Seriousness is well above my pay grade.
>> Hubs are pure, unadulterated evil.
:)
I disagree. They're great for sniffing packets. If you've got an ethernet-connected device that doesn't have a sniffer onboard, and you want to see what the heck it's doing, a hub is a handy tool to have on your shelf. I use them quite often to intercept traffic while debugging software and hardware at work.
They also allow you to run a trace on a separate machine, so as not to interfere with the unit-under-test.
Yes, you could use a monitor-port, but that assumes that your employer will spring for fancy managed switches AND will allow you log into them and mess around. Mine doesn't, but they're more than happy to buy me a $40 hub and a couple patch cables
What a stupid thing to say, on Slashdot of all places!
Take the stick out of your a**, we are all here to learn.
Ethereal is excellent. Under Windows it doesn't work with dial-up adapters, which means it's useless if you're trying to inspect stuff you're sending over PPTP VPN tunnel. That's not really Ethereal's fault though - it's pcap stuff and issues caused by Windows itself. The UI sucks big time though.
MSFT had me download a time limited version of Netmon, which has more features than the version that ships with Windows NT/2000 Server. It seemed to be way better than Ethereal. But beggars can't be choosers and Ethereal is free. Criticisms aside, Ethereal is EXCELLENT.
Oh man.
:D
That's not a sniffer... that's a freakin' rootkit!
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
I like Ethereal as it's highly comparable to Etherpeek without the cost...plus it runs on Linux.
Sniffing will also not get you anywhere if you are trying to see what happening on a https stream as all you'll see is the encrypted traffic.
That's generally true, but not entirely so. If web developers have the server's private key, they can indeed decrypt HTTPS streams. I once had to do it for a heisenbug on a secure website. You can use the tool ssldump from Eric Rescorla. If you're this deep into SSL, you should certainly buy his book SSL and TLS, which is very helpful.
Don't get me wrong, I want exploits published so venders get the kick in the arse they seem to need to actually fix something, but do they have to make password snagging so easy my grandmother could do it?