On Oct 14, 2008, at 5:56 PM, Michael Condon wrote:
This is a blind attempt to capture traffic to/from an IP address. Is
there a
less obtrusive alternative to capturing this traffic than
infiltrating the
internal infrastructure?
I.e., if you're on a switched network, and you want to capture traffic
to or from a particular IP address from or to *all* machines on that
switch, is there a less obtrusive alternative than replacing the
switch with a hub or using a monitor port?
That depends on your definition of "obtrusive".
The only alternatives are the ones listed on
http://wiki.wireshark.org/CaptureSetup/Ethernet
and, if *I* were a network administrator, I'd consider all of the ones
that work "obtrusive", and would consider the alternatives to "use a
switch port", such as ARP poisoning or MAC flooding, to be actively
*hostile* if I weren't the one doing the capturing.
Switches don't send all traffic to them through all ports - that's
kind of the point of a switch, to allow more traffic to pass through
it than can be sent over a single Ethernet link - so the only way to
see all traffic going through a switch is to capture on a port that,
either by configuring the switch (with a monitor port) or bludgeoning
the switch (e.g., ARP poisoning or MAC flooding), manages to get all
traffic forwarded to it.
Note that if more traffic is passing through the switch than can be
sent out to a port on the switch, all of those solutions *will* drop
traffic. Note also that the switch knows absolutely nothing about
your capture filter; unless its monitor-port feature can be configured
to check IP addresses and forward only matching packets to the monitor
port (i.e., unless the switch has its own notion of filters at that
level), even if your capture filter would select less traffic than can
be sent out to a port on the switch, it won't prevent packets from
being dropped.
