Ethereal-users: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? / Sniffing without
Thanks for the info, Guy and Richard. I'll check the versions and lurk
around WinPCap's groups for a while. For the record, I was using WinPCap
2.3. I am currently downloading 3.0. I will try to remember to post the
results.
- Will
-----Original Message-----
From: Richard Urwin [mailto:RUrwin@xxxxxxxxxxxxxx]
Sent: Wednesday, July 23, 2003 4:03 AM
To: 'W. Chamberlain'; ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /
Sniffing without TCP/IP on Windows?
I use Ethereal on an unbound second card in my W2K machine. Everything works
fine.
--
Richard Urwin, Software Design Engineer
Schenck Test Automation
Braemar Court, 1311b Melton Road, Syston, UK.
rurwin@xxxxxxxxxxxxxx
-----Original Message-----
From: W. Chamberlain [mailto:nashvilleguitarpicker@xxxxxxxxxxx]
Sent: 22 July 2003 15:15
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /
Sniffing without TCP/IP on Windows?
I have been using Ethereal off and on for a year or so now on our relatively
small network, and I love it. Perhaps one of the most useful places to
sniff, however, is outside of the firewall. Unfortunately, our IP address
range is frequently scanned by hackers, and I know better than to plug it in
directly. Does anyone know if there is a way to use Ethereal without
installing Microsoft's TCP/IP protocol?
The computer I tested this on runs NT 4.0 with multiple NICs. Ideally, I
would like to sniff on one NIC, and have all of my regular non-sniffing
TCP/IP traffic go through as separate card. I tried to unbind TCP from the
sniffing NIC, but then the WinPCap drivers would not allow me to select that
card for sniffing. My interim solution was to assign a bogus IP address to
the NIC. I am able to sniff fine with this setup, but I am still open to
broadcast-based attacks, and my firewall thinks that someone is spoofing an
IP address, since I used one out of our normal range. It generates multiple
annoying log messages, so I do not leave this running very long. I used to
hear about people making "mute" network cards/cables basically by clipping
the broadcast lines. I don't know if this would help against DoS attacks,
though.
Here were some questions that came to mind. Is there a way to tighten
security on TCP/IP to a point that the OS ignores it on one adapter? Is
there a way to run without TCP/IP? Is there another [free/cheap] program
which can sniff IP traffic without requiring IP binding to the adapter? Can
I use some sort of dummy TCP/IP stack to satisfy WinPCap? Can raw sockets
run without TCP/IP? Any solution I use must be capable of sniffing ICMP
packets and IP packets. I don't care as much about the other types.
Does anyone else have any ideas or experience in this area? Thanks in
advance!
- Will
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
