Packet Snooping with a Switch question.

[Setral]

I'm attempting to setup a packet snooping program under Linux on my home network. I know of 3 ways I can set it up to get it working, all of which requires at least 1 more part which currently I can't afford.

I have a DSL connection that is connected to an SMC Barricade (Router/Switch) and two systems. Both work fine setup receiving IPs from the SMC Barricade by themselves.

The problem is since this is a switch the packets are broadcasted across all nodes meaning I can't just snoop passively without any reconfiguration.

Lets start here with identifying Computers A and B. A is the linux Snooping box. B is my Windows box. A is .2, B is .3, router is .1

Would it be possible for me to leave everyone wired how it is. But set A up under Default Gateway in B and have the packets go through A before going through the router to the net?

Basically it would look like this, if possible. (I haven't tried yet I'm at work will try when I get home).

A: IP: xxx.xxx.xxx.2 & Gateway: xxx.xxx.xxx.1
B: IP: xxx.xxx.xxx.3 & Gateway: xxx.xxx.xxx.2

This way all calls made from B are forced through A then sent through the router.

If this is impossible without adding another network card and/or cable let me know.

 

[ScottMac]

If you pass all the packets through a machine, it should be the machine you''re monitoring. If you're gonna do that, then put Squid (proxy) on it and get a little performance kick too (at least for surfing).

Usually, if the switch doesn't support port mrroring (pretty sure yours doesn't), then drop a hub in between the switch and the machine you want to monitor, and plug your monitoring station on the same hub.

FWIW

Scott

 

[Setral]

Well this snooping program has to be run on the Linux box and all setups either the Linux box is the connection sharing device, or simply listens quietly on the hub. So it either picks up all the network traffic either directly or indirectly. Which is the reason I was wondering if it would be possible to pass all the data through the linux box without having to add/change the physical hardware configuration.

I know the last suggestion you made is feasable, however it'd be just as easy for me to put a second nic in the Linux system and a crossover between the Linux and windows system, however I don't want to purchase any equipment right now, even though all i would need for that is a $10 nic, I have everything else.

 

[Soybomb]

Good info on sniffing switched networks

Unless you're just tinkering though, the most effective way to get info from the machines on your network would just be a keystroke logger

 

[Setral]

Well last night tinkering with it I figured this much out.

I have to have them set to Static IPs. Dynamic IPs automatically overwrite my manual Gateway settings.

If I set A to be the Gateway for B and try to connect B does feed all its requests through A, however I don't have it setup currently to acknowledge those requests appropriate.

So this means, the hardware and the network layer can handle this. However it looks like the Software side is where the fun beings.


Also glancing over the information you gave me isn't quite what I am looking for.

 

[Jonathan93]

Not sure if your Packet Sniffer software would pick this up, but it SHOULD. I'd get a Linux box with 2 NICs, plug one NIC into the SMC Barricade, take the other and plug it into the switch. Then just bridge the two interfaces together. Then ALL traffic headed to the Internet HAS to go through the Linux box.

 

[Setral]

Umm Jon, the SMC Barricade is a Broadband Router/Switch. Hence the reason I'm trying to figure out if I can do it without additional hardware.

Ipmasqing? Proxy? or hardware.

 

[spidey07]

run a proxy, that way the proxy will capture all frames to and from the client computer.

 

[Jonathan93]

Oops.... Sorry, didn't pick up on the fact that the SMC Barricade was a Router/Switch. Your problem with the proxy server is that all the traffic MAY not go through it. (If a program is not setup to go through the proxy server, it will just talk directly to the SMC and leave the Linux server out of the equation).

Since you are only hooking up 2 computers (The linux server and the Windows PC), if you had the network card you could still do bridging (Just plug the other computer into the other ethernet card). If you don't want to do that, I'd say just run the proxy and set everything to run off the proxy server.