[PLUG] Wireshark help

chris (fool) mccraw gently at gmail.com
Fri Oct 31 18:26:27 UTC 2008


On Fri, Oct 31, 2008 at 10:57, VY <vyau5678 at gmail.com> wrote:

> So far, all I could capture is to/from the Linux host to/from any boxes on
> my network but fail
> to capture any traffic out of other boxes to other hosts.

While all the answers so far have touched upon the basic truth
(sniffing on a hub is trivial), sniffing on a switch is not
impossible.  there are a couple of ways of doing so, one optimal (port
mirroring) and unlikely to be possible on cheap networking hardware,
and one which is technically exploitative behavior and prone to
network interruptions (arp cache poisoning).  nonetheless i have
personally had both working with enough success (from a linux machine)
to debug an issue.  a better explanation and comparison than i'd be
able to make off the cuff is here:

http://www.chrissanders.org/?p=121

ettercap and dsniff are the linux tools i've used in the past.

caveat emptor:  using arp cache poisoning may break your network for
non-trivial periods and will certainly piss off your network
administrator.  but hopefully you're your network administrator and
know how to clean up after yourself.  NB this may involve more than
just rebooting the switch--network clients are lied to and the lie may
take awhile to time out depending on OS/settings.



More information about the PLUG mailing list