Wireshark · Ethereal-users: Re: [Ethereal-users] sniffing in a switched network

Ethereal-users: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using etterca

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jay Taylor <foosyou@xxxxxxxxx>

Date: Thu, 16 Jun 2005 20:02:28 -0500

Instead of crippling the network by using a hub near the core or spoofing arp you can mirror a port on most managed switches. Mirroring (or SPAN in Cisco speak) forwards an additional copy of each from from the spanned port to the port you connect your network analyzer to. This method has no impact on the other hosts communicating through the switch as long as the switch is robust enough for the traffic it will pass. Keep in mind that the port you attach your network analyzer to may drop packets if it can not handle the cumulative bandwidth of all the ports it is monitoring. IE: If you try to monitor several hosts with 100Mb connections it could quickly overwhelm the 100Mb link you are analyzing from.

Ulf Lamping wrote:

Manu Garg wrote:

Many of us know that sniffing is possible in a shared i.e.
non-switched ethernet environment. But only few of us know that
sniffing is also possible in a switched ethernet environment. One of
the reasons is that it's not that straighforward. But it's not
impossible or difficult. You can use man in the middle technique like
ARP spoofing to sniff in a switched environment.


This presentation is an attempt to explain how can somebody sniff in a
switched ethernet using ARP spoofing. Dsniff has existed for long as a
tool for various sniffing activities. But recently, tools like
EttercapNG have made it easier.


Link to my original post and presentation -
http://manugarg.freezope.org/2005/06/sniffing-in-switched-network-many-of.html

Presentation-
http://manugarg.freezope.org/notes/arp_spoofing

Please let me know your views on it.

Yes it is possible, but it is really ugly for it's various side effects.

Have a look at the information on this topic so far at:
http://wiki.ethereal.com/CaptureSetup_2fEthernet

As the wiki page says:

*Please do not try this on any LAN other than your own.*

Regards, ULFL

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

References:
- [Ethereal-users] sniffing in a switched network - arp spoofing using ettercap and ethereal
  - From: Manu Garg
- Re: [Ethereal-users] sniffing in a switched network - arp spoofing using ettercap and ethereal
  - From: Ulf Lamping

Prev by Date: [Ethereal-users] A newbie to ethereal
Next by Date: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using ettercap and ethereal
Previous by thread: Re: [Ethereal-users] sniffing in a switched network - arp spoofing using ettercap and ethereal
Next by thread: [Ethereal-users] A newbie to ethereal
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$