|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] trapping web site communications
|
I'm finally getting around to this and I'm having some difficulty...
I've installed ethereal on my Linux workstation and on a laptop (since
I'll ultimately be running this on my friend's LAN.) In either case, it
appears to pick up only SOME of the network traffic, not all that I'd
expect.
The first thing I did was put a hub in the way because I have a switch
and presumed that I would not see packets that were not destined for the
laptop. So my first configuration looked like this:
cable modem --- hub --- firewall --- switch --- windows client (NT)
| |
| rest of LAN
Laptop with ethereal
This was "less than satisfactory"... I could see the dozens of ARP
requests and the occasional DHCP traffic but nothing else.
Because the eth1 interface of the firewall was assigned 68.83.xxx.y from
the cable modem, I used ifconfg to make the laptop think it was
68.83.xxx.(y+1) with a netmask of 255.255.254.0 (same as the firewall.)
I did this even though I suspect that the ethernet card would pick up
_everything_ regardless of IP.
That brings up another point... How can I tell if the network interface
is in promiscuous mode? It's a 10/100 Intel card internal to the IBM
X20 laptop. A friend tells me that some cards will not do promiscuous
mode (moral objections? :-)
Thinking that I was stymied by the modem -- firewall interaction, I
changed to this configuration:
switch --- rest of LAN
|
|
cable modem --- firewall --- hub --- windows client (NT)
|
|
Laptop with ethereal
I let the laptop get it's 192.168.1.100/24 from the firewall DHCP.
Here, I encountered the same issue... no traffic other than ARP or DHCP
info (and much less of both).
Being an electrical engineer _and_ a network semi-novice I'm trying very
hard to understand why I cannot see the traffic.
Any suggestions?
Thanks!
Eric
On Wed, Aug 06, 2003 at 04:05:23PM -0400, Toby DiPasquale wrote:
> eric@lucii.org wrote:
> >How best to go about this? I think a sniffer program on the lan might
> >be the way but I've never used one before. Are there other ways that
> >people have used to accomplish something like this? I've tried netcat
> >(nc) but it does not show me what the site sends back, just what the
> >browser asks for.
>
> Here's an easy way to do it:
>
> 1. If you don't already have them, install the ethereal and tethereal
> packages for your OS. On Debian they are in two separate packages (with
> those names, in case you are running Debian) but they may be in the same
> package for other distros/OSs.
>
> 2. Run this command:
>
> # tethereal -i eth0 -f ' port 80 ' -w savefile
>
> You will need to be root to do that. This will capture all traffic on/from
> port 80 passing through network interface eth0 into a file named "savefile".
>
> 3. Initiate your HTTP traffic and run the CGI you're looking to debug.
>
> 4. Once finished with that, stop the capture with Control-C and then open
> "savefile" with ethereal (the graphical frontend for the ethereal capture
> pacakge). Now you can see both sides of the traffic, packet for packet.
>
> HTH :)
>
> --
> Tobias DiPasquale
> 88FA 30C9 1E63 CFE2 CBD8 37C4 DA1C E2BF 1D26 F036
> http://cbcg.net/
>
> _________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
> General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
>
>
--
# Eric Lucas
# "Oh, I have slipped the surly bond of earth
# And danced the skies on laughter-silvered wings...
# -- John Gillespie Magee Jr.
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|