5

I often find myself in the position of having to sniff on a connection between for example an arm board I am developing on, and another computer on the network, or out of the network.

The easy situation is when I can install a sniffer on the computer talking to the embedded device. When it is not possible, I currently install an old 10Mb/s HUB. However I am afraid my HUB might stop working, and I would like to know some alternative.

Here are the alternatives I could think of :

  • Buy another HUB. Is that still possible ?
  • Have some sort of ethernet sniffing bridge, like what they do for USB. I am afraid this kind of device is expensive.
  • use ARP poisoning.
drAlberT
  • 10,871
  • 7
  • 38
  • 52
shodanex
  • 212
  • 2
  • 9

7 Answers7

10

More expensive switches will offer port mirroring, where they will mirror the traffic of one or more ports to a dedicated monitor port for (among others) problems like yours.

But I am not sure at what price class features like that are offered.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • Our Netgear switches do this and they go for a few hundred GBP. – tomfanning Oct 09 '09 at 09:19
  • Ditto for our "web-managed" ProCurves, at about the same price. – RainyRat Oct 09 '09 at 11:19
  • Used switches are often quite cheap. For instance, older 10/100 gear on the secondary market is often in the $50 range or even free. As an example, a nortel baystack 420-24t can even mirror based on MAC address, and it is pretty quiet and is less than 50 from an online store: http://www.codemicro.com/store/product/42024T/Refurbished – chris Feb 12 '10 at 15:56
3
  • Use ettercap and live happy.

    See wikipedia for a list of ARP spoofing capable tools

  • MAC Flooding attack can be tried too, depending on the switch you are attacking. If the switch is exposed to this kind of attack it will act as an HUB once overflowed.

  • You can of course use an HW approach (much more less flexible IMHO), a very inexpensive switch such as Dell 27xx and 28xx series offer port mirroring feature

drAlberT
  • 10,871
  • 7
  • 38
  • 52
  • The problem with that is that now you're not really testing your device under normal usage situations. – chris Feb 12 '10 at 15:53
3

A quick-and-dirty solution for sniffing a single device on is to add a second NIC, connect the device to be sniffed to one NIC (using a crossover cable if necessary) and the LAN to another, then bridge the connections and sniff on the bridge interface. Since you're not wedging the machine into a heavy traffic flow (presumably) you won't really slow anything down.

You can do this in Windows w/ the built-in bridging functionality and something like Wireshark. Linux will let you do the same thing. Other OS's mileage may vary-- I haven't tried it anywhere but on Windows and Linux.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
3

There are two ways to sniff traffic in a switched network where you don't have access to the switch. The first is ARP spoofing, where you attempt to respond to ARP requests faster than the target device. This is obviously dependent on your ability to do that, so might be a little bit hit and miss. The second is to overflow the switch's forwarding tables. Every switch has a table of MAC addresses and which ports it's seen frames come in from, so the switch knows where to send future frames to. If the switch doesn't have the destination MAC address in the forwarding table, it sends it to every port. If you can fill up the forwarding table, the switch has no option to send all frames to every port, and you've effectively turned your switch into a hub. Unfortunately, more expensive switches have bigger forwarding tables, and might have per-port forwarding tables, which won't be vulnerable to this attack.

You can insert a hub between you and your target if you can find one. An alternative would be to use a Linux device with two NICs and bridging configured between them.

If you have a managed switch under your control, as other people have mentioned, you can use port mirroring to get a copy of everything on the target port(s).

David Pashley
  • 23,151
  • 2
  • 41
  • 71
2

You may wish to also consider building an Ethernet tap, and using that device for analyzing traffic. A tap has the advantage of allowing the analysis of all traffic, including mis-formed Ethernet packets that may not be duplicated by a mirrored port on a switch. It is a bit more complicated:

You do need two network cards for the tap to work correctly for full duplex connections. However, you will get a true representation of the network traffic passing to and from a device, which may be helpful for any embedded work your doing.

SteveM
  • 899
  • 4
  • 6
1

Other people have better, more technical answers to this question, but to answer your first question: I'm not 100% sure, but this appears to be a hub (dumb) rather than a switch (smart hub).

http://www.amazon.com/Dynex-DX-EHB4-Ethernet-10Base-T-external/dp/tech-data/B000U29M6Q/ref=de_a_smtd

I'm sure there's more out there, if not, I'd try eBay. I know I have some older hubs lying around.

Josh
  • 9,001
  • 27
  • 78
  • 124
1

Dualcomm's USB powered 5-port Ethernet switch should be the best choice to meet your needs which is "hardwire configured" with the port mirroring functionality. It also supports PoE inline power pass-through. Both Fast Ethernet ($39.95) and Gigabit Ethernet ($119.95) models available. Portable and great for many packet sniffing applications. Visit: www.dual-comm.com