Ethernet sniffer - port mirror

[rmdferreira]

Hi,

does anyone knows how to make a ethernet sniffer ?
here my idea, 3 RJ-45 ports, port 1 connecting PC 1, port 2 connecting PC 3 and Port 3 connecting PC with sniffer software, that sniffs traffic between Port 1 and Port 2

I know that i can do this with switchs that support port mirror, but normally this kind of switchs are very big and expensives... like cisco, nortel...

all im looking is a little three port piece of hardware with this capability

Any ideas?

Thanks
Ricardo

 

[justDIY]

just get a 5 port 100mbit ethernet hub off ebay and call it done

you don't need a switch with a port mirror

 

[rmdferreira]

Hi,

i know, but a hub is not passive... because it mirrors everything for every ports.... so if my machine (sniffer machine) generates traffic it will interfere with the other PC 1 and PC 2

with port mirror you can do this in a shadow way...

Ricardo

 

[3v0]

Hi,

i know, but a hub is not passive... because it mirrors everything for every ports.... so if my machine (sniffer machine) generates traffic it will interfere with the other PC 1 and PC 2

with port mirror you can do this in a shadow way...

Ricardo

The last time I checked a hub was passive.

Network hub - Wikipedia, the free encyclopediaA network hub or concentrator is a device for connecting multiple twisted pair or fiber optic Ethernet devices together, making them act as a single network ...A hubbed Ethernet network behaves like a shared-medium, that is, only one device can successfully transmit at a time and each host remains responsible for collision detection and retransmission.

Network switch - Wikipedia, the free encyclopediaBy delivering each message only to the connected device it was intended for, a network switch conserves network bandwidth and offers generally better ...

You need to hook your sniffer to a switch.

I suspect that all you need to do is setup a linux box with Ethereal.

 

[justDIY]

program the sniffer to not send any traffic! or disconnect the transmit pair on its ethernet cable.

oh, and avoid anything calling itself ethereal, and go with Wire Shark instead ... the former is now the latter, the developers abandoned the name due to some trademark dispute.

 

[felis]

Switches with mirror port capability are not expensive. Good old 3Com superstack 3300 can be bought on ebay for ten bucks. I have one and it mirrors just fine.

 

[rmdferreira]

Hi,

3Com superstack 3300 is a big one...

Think about this,

You are a network technician and you carry a laptop and a piece of hardware (size of a cell phone) with 3 RJ-45, that you can put on a network and connect you laptop to "port mirror" port (port 3).
The only thing i need is if anyone knows the technical schema for build a tiny switch with 2 ports and a port that "see" all the traffic between the others two ports.

I have cisco, and nortel switchs... that support port mirror and a lot of stuffs... but, beliave me, you don't want to carry a big piece of hardware everytime you need to troubleshoote something...

Anyone knows a electric schema of a switch?

Thanks,
Ricardo

 

[felis]

The way I did it a while ago was take two ethernet cards and wire the receiver of the one of them parallel to one twisted pair and receiver of the other parallel to the second twisted pair. Then you can capture from both cards using tcpdump and then merge the traces and see them in wireshark.

 

[justDIY]

I still don't recognize why you can't use a hub ... it has been done that way for decades.

if you're "troubleshooting", what does it matter that an odd packet or two from your machine might be injected into the network, program your machine properly so it's not probing the network looking for things.

the only reason I can see you wanting to be invisible is for illegal reasons; a forensic wiretap installer would just go out and buy the proper hardware.

edit:
the HP ProCurve 1800 8 port switch supports gigabit speeds and port mirror, plus it is small and fanless so you can hide it to do your spy work... oops I mean 'troubleshooting'. Just charge the cost off on a client.

**broken link removed**

 

[rmdferreira]

Imaging that you are troubleshotting VoIP trafic, like RTP, for example, and you don't what to mess with QoS and stuff, you just want to "watch"???

My way? I connect my powerfull cisco catalyst, and do the work... no problem...Leave my powerfull switch be connect to my laptop one hour, collecting data, for analysis. No problem for me.

But, in my experience, the cisco catalyst became my new friend, my new heavy friend...

There are some troubleshooting that i could do with a small piece of hardware... so my topic is only about one subject, if you have an electric schema, I appreciate for suggestion, if not, i don't need to bother, and send anwsers like "why can't i use an hub", "it's spy work??"... man i'm network guy and i know exactly what i'm talking about...

This topic was only about that... if i can make one by my self, cool, if not, well i need to buy a light switch, (for example the HP that you send me).

So if you have the tecnologie for do a spy work (no interference on the network) why use a hub??? Man, hubs sucks.... hub is a stupid device... no mac table, no nothing... if you connect an hub in ten switchs network with spanning tree... you have a big mess...

Thanks,
Ricardo

 

[Darth Bagel]

You aren't going to affect QoS with a few errant packets. Just don't flood the network with **** and you'll be fine.

Or use a cable without the TX lines, as JustDIY said.

 

[rmdferreira]

No problem.

Thanks anyway.

Ricardo