×

Loading...
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。

Q 7.1: When I use Ethereal to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?

本文发表在 rolia.net 枫下论坛A: This might be because the interface on which you're capturing is plugged into an Ethernet or Token Ring switch; on a switched network, unicast traffic between two ports will not necessarily appear on other ports - only broadcast and multicast traffic will be sent to all ports.

Note that even if your machine is plugged into a hub, the "hub" may be a switched hub, in which case you're still on a switched network.

Note also that on the Linksys Web site, they say that their auto-sensing hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and broadcast the 100Mb packets to the ports that operate at 100Mb only", which would indicate that if you sniff on a 10Mb port, you will not see traffic coming sent to a 100Mb port, and vice versa. This problem has also been reported for Netgear dual-speed hubs, and may exist for other "auto-sensing" or "dual-speed" hubs.

Some switches have the ability to replicate all traffic on all ports to a single port so that you can plug your analyzer into that single port to sniff all traffic. You would have to check the documentation for the switch to see if this is possible and, if so, to see how to do this. See the switch reference page on the Ethereal Wiki for information on some switches. (Note that it's a Wiki, so you can update or fix that information, or add additional information on those switches or information on new switches, yourself.)

Note also that many firewall/NAT boxes have a switch built into them; this includes many of the "cable/DSL router" boxes. If you have a box of that sort, that has a switch with some number of Ethernet ports into which you plug machines on your network, and another Ethernet port used to connect to a cable or DSL modem, you can, at least, sniff traffic between the machines on your network and the Internet by plugging the Ethernet port on the router going to the modem, the Ethernet port on the modem, and the machine on which you're running Ethereal into a hub (make sure it's not a switching hub, and that, if it's a dual-speed hub, all three of those ports are running at the same speed.

If your machine is not plugged into a switched network or a dual-speed hub, or it is plugged into a switched network but the port is set up to have all traffic replicated to it, the problem might be that the network interface on which you're capturing doesn't support "promiscuous" mode, or because your OS can't put the interface into promiscuous mode. Normally, network interfaces supply to the host only:

packets sent to one of that host's link-layer addresses;
broadcast packets;
multicast packets sent to a multicast address that the host has configured the interface to accept.
Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see. Ethereal will try to put the interface on which it's capturing into promiscuous mode unless the "Capture packets in promiscuous mode" option is turned off in the "Capture Options" dialog box, and Tethereal will try to put the interface on which it's capturing into promiscuous mode unless the -p option was specified. However, some network interfaces don't support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode.
If the interface is not running in promiscuous mode, it won't see any traffic that isn't intended to be seen by your machine. It will see broadcast packets, and multicast packets sent to a multicast MAC address the interface is set up to receive.

You should ask the vendor of your network interface whether it supports promiscuous mode. If it does, you should ask whoever supplied the driver for the interface (the vendor, or the supplier of the OS you're running on your machine) whether it supports promiscuous mode with that network interface.

In the case of token ring interfaces, the drivers for some of them, on Windows, may require you to enable promiscuous mode in order to capture in promiscuous mode. See the Ethereal Wiki item on Token Ring capturing for details.

In the case of wireless LAN interfaces, it appears that, when those interfaces are promiscuously sniffing, they're running in a significantly different mode from the mode that they run in when they're just acting as network interfaces (to the extent that it would be a significant effor for those drivers to support for promiscuously sniffing and acting as regular network interfaces at the same time), so it may be that Windows drivers for those interfaces don't support promiscuous mode.更多精彩文章及讨论,请光临枫下论坛 rolia.net
Report

Replies, comments and Discussions:

  • 工作学习 / 专业技术讨论 / 10个人左右的局域网,通过adsl上网,有没有一种解决办法可以屏蔽指定的网站并且可以记下电脑都去过什么网站。我看过cisco800系列的说明,好像只有屏蔽和vpn,firewall.是不是还需要什么软件来实现?
    • http proxy, set the router block outging 80 port except the proxy server.
      • can you recomment some proxy product ? i remember wingate ,but it is long time ago...
        • software proxy will much slow down you internet access speed when using by 10 pc
          software proxy will much slow down you internet access speed when using by 10 pc. use a IDS/sniffer like software product connected to you main swith to monitor the user's web access. to shield websites, using the hardware router/firewall function.
          • thx, can you recomment some sniffer like software product ?
            • ethereal
              • 这个管用,而且现在该套软件好像改了名字。
                • 对于switch ethernet,etheral没办法把所有包都拿到,需要在交换机上做端口复制。一般的交换机可能没这功能
                  • 兄弟能否讲的详细一点?为什么在交换机上无法监听所有数据包?
                    • http://www.ethereal.com/faq.html#q7.1......
                      • Q 7.1: When I use Ethereal to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?
                        本文发表在 rolia.net 枫下论坛A: This might be because the interface on which you're capturing is plugged into an Ethernet or Token Ring switch; on a switched network, unicast traffic between two ports will not necessarily appear on other ports - only broadcast and multicast traffic will be sent to all ports.

                        Note that even if your machine is plugged into a hub, the "hub" may be a switched hub, in which case you're still on a switched network.

                        Note also that on the Linksys Web site, they say that their auto-sensing hubs "broadcast the 10Mb packets to the port that operate at 10Mb only and broadcast the 100Mb packets to the ports that operate at 100Mb only", which would indicate that if you sniff on a 10Mb port, you will not see traffic coming sent to a 100Mb port, and vice versa. This problem has also been reported for Netgear dual-speed hubs, and may exist for other "auto-sensing" or "dual-speed" hubs.

                        Some switches have the ability to replicate all traffic on all ports to a single port so that you can plug your analyzer into that single port to sniff all traffic. You would have to check the documentation for the switch to see if this is possible and, if so, to see how to do this. See the switch reference page on the Ethereal Wiki for information on some switches. (Note that it's a Wiki, so you can update or fix that information, or add additional information on those switches or information on new switches, yourself.)

                        Note also that many firewall/NAT boxes have a switch built into them; this includes many of the "cable/DSL router" boxes. If you have a box of that sort, that has a switch with some number of Ethernet ports into which you plug machines on your network, and another Ethernet port used to connect to a cable or DSL modem, you can, at least, sniff traffic between the machines on your network and the Internet by plugging the Ethernet port on the router going to the modem, the Ethernet port on the modem, and the machine on which you're running Ethereal into a hub (make sure it's not a switching hub, and that, if it's a dual-speed hub, all three of those ports are running at the same speed.

                        If your machine is not plugged into a switched network or a dual-speed hub, or it is plugged into a switched network but the port is set up to have all traffic replicated to it, the problem might be that the network interface on which you're capturing doesn't support "promiscuous" mode, or because your OS can't put the interface into promiscuous mode. Normally, network interfaces supply to the host only:

                        packets sent to one of that host's link-layer addresses;
                        broadcast packets;
                        multicast packets sent to a multicast address that the host has configured the interface to accept.
                        Most network interfaces can also be put in "promiscuous" mode, in which they supply to the host all network packets they see. Ethereal will try to put the interface on which it's capturing into promiscuous mode unless the "Capture packets in promiscuous mode" option is turned off in the "Capture Options" dialog box, and Tethereal will try to put the interface on which it's capturing into promiscuous mode unless the -p option was specified. However, some network interfaces don't support promiscuous mode, and some OSes might not allow interfaces to be put into promiscuous mode.
                        If the interface is not running in promiscuous mode, it won't see any traffic that isn't intended to be seen by your machine. It will see broadcast packets, and multicast packets sent to a multicast MAC address the interface is set up to receive.

                        You should ask the vendor of your network interface whether it supports promiscuous mode. If it does, you should ask whoever supplied the driver for the interface (the vendor, or the supplier of the OS you're running on your machine) whether it supports promiscuous mode with that network interface.

                        In the case of token ring interfaces, the drivers for some of them, on Windows, may require you to enable promiscuous mode in order to capture in promiscuous mode. See the Ethereal Wiki item on Token Ring capturing for details.

                        In the case of wireless LAN interfaces, it appears that, when those interfaces are promiscuously sniffing, they're running in a significantly different mode from the mode that they run in when they're just acting as network interfaces (to the extent that it would be a significant effor for those drivers to support for promiscuously sniffing and acting as regular network interfaces at the same time), so it may be that Windows drivers for those interfaces don't support promiscuous mode.更多精彩文章及讨论,请光临枫下论坛 rolia.net
        • ms isa..but it might be quite expensive for ur case.
        • wingate is able to login the traffic.
    • A home router may block perticular websites. Use hub to connect computers, and you can log all the http activities by using some sniffer softwares.
    • install MS ISA server or a linux gateway, u can get what u want
    • Netgear Prosafe FVS114,入门级商用路由器。$150左右。
      • 现在看来,很多router好像都有web filter功能,但是没有monitor功能,所以请DX推荐一个软件来实现这个功能
        • 赫赫。看来你是不太注意别人给你提供的信息。Prosafe FVS114可以对所有访问的网站进行记录,并且发email给指定邮箱。看看手册把
          • 谢谢DX,我的确google了你说的产品的spec。不过没有看手册。现在就去做功课。
          • 做了功课,这个东西只要80多刀。实在是便宜,说明上说有log alert 和SYSlog功能,不知道是不是就是您说的email log ,如果方便能email一个用户手册什么的给我看看?
            • log feature
              Include in Log

              Known DoS attacks and Port Scans
              Attempted access to blocked sites
              All Websites and news groups visited
              All Incoming TCP/UDP/ICMP traffic
              All Outgoing TCP/UDP/ICMP traffic
              Other IP traffic
              Router operation (start up, get time etc)
              Connections to the Web-based interface of this Router
              Other connections and traffic to this Router
              Allow duplicate log entries
            • 你的email是?
              • 看了manual。里面说的log没有我要的每各电脑都访问了哪些网站的log.里面说的log都是些admin或者做了哪些特别的动作的log.看来这个便宜的方案不行
                • All Websites and news groups visited
                  • 自己看看有没有用吧
                    本文发表在 rolia.net 枫下论坛Fri, 2006-08-11 17:31:18 - Administrator login successful - IP:xxx.xxx.xxx.xxx
                    Fri, 2006-08-11 17:31:35 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2806
                    Fri, 2006-08-11 17:31:39 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2807
                    Fri, 2006-08-11 17:31:39 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2808
                    Fri, 2006-08-11 17:31:43 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2809
                    Fri, 2006-08-11 17:31:44 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2810
                    Fri, 2006-08-11 17:31:45 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2811
                    Fri, 2006-08-11 17:31:45 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2812
                    Fri, 2006-08-11 17:31:46 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2813
                    Fri, 2006-08-11 17:31:46 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2814
                    Fri, 2006-08-11 17:31:46 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2815
                    Fri, 2006-08-11 17:31:47 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2816
                    Fri, 2006-08-11 17:31:47 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2817
                    Fri, 2006-08-11 17:31:48 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2818
                    Fri, 2006-08-11 17:31:48 - Device Received UDP Packet - Source:192.168.1.50,138,LAN - [Drop]
                    Fri, 2006-08-11 17:31:48 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2819
                    Fri, 2006-08-11 17:31:49 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2820
                    Fri, 2006-08-11 17:31:55 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2821
                    Fri, 2006-08-11 17:31:56 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2822
                    Fri, 2006-08-11 17:31:56 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2823
                    Fri, 2006-08-11 17:31:57 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2824
                    Fri, 2006-08-11 17:31:57 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2825
                    Fri, 2006-08-11 17:31:58 - Device Received UDP Packet - Source:192.168.1.109,137,LAN - [Receive]
                    Fri, 2006-08-11 17:31:58 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2826
                    Fri, 2006-08-11 17:32:00 - TCP packet - Source:192.168.1.53,3114 ,LAN - Destination:69.156.240.33,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:00 - TCP packet - Source:192.168.1.53,3116 ,LAN - Destination:209.226.175.76,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:00 - TCP packet - Source:192.168.1.53,3118 ,LAN - Destination:38.113.1.181,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:00 - TCP packet - Source:192.168.1.53,3120 ,LAN - Destination:65.54.191.188,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:02 - TCP packet - Source:192.168.1.53,3122 ,LAN - Destination:69.156.240.33,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:03 - TCP packet - Source:192.168.1.53,3124 ,LAN - Destination:69.156.240.33,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:03 - Device Received UDP Packet - Source:192.168.1.2,138,LAN - [Drop]
                    Fri, 2006-08-11 17:32:07 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2827
                    Fri, 2006-08-11 17:32:08 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2828
                    Fri, 2006-08-11 17:32:11 - Device Received UDP Packet - Source:192.168.1.108,137,LAN - [Receive]
                    Fri, 2006-08-11 17:32:21 - TCP packet - Source:192.168.1.53,3125 ,LAN - Destination:65.54.191.188,995 ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:23 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2829
                    Fri, 2006-08-11 17:32:24 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2830
                    Fri, 2006-08-11 17:32:25 - Device Received UDP Packet - Source:192.168.1.50,137,LAN - [Receive]
                    Fri, 2006-08-11 17:32:25 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2831
                    Fri, 2006-08-11 17:32:26 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2832
                    Fri, 2006-08-11 17:32:30 - Device Received UDP Packet - Source:192.168.1.53,137,LAN - [Receive]
                    Fri, 2006-08-11 17:32:42 - Device Received UDP Packet - Source:192.168.1.54,137,LAN - [Receive]
                    Fri, 2006-08-11 17:32:46 - Device Received UDP Packet - Source:192.168.1.58,137,LAN - [Receive]
                    Fri, 2006-08-11 17:32:49 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2833
                    Fri, 2006-08-11 17:32:50 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2834
                    Fri, 2006-08-11 17:32:56 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2835
                    Fri, 2006-08-11 17:32:57 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2836
                    Fri, 2006-08-11 17:32:58 - Device Received UDP Packet - Source:192.168.1.2,137,LAN - [Receive]
                    Fri, 2006-08-11 17:32:59 - TCP packet - Source:192.168.1.53,3127 ,LAN - Destination:69.156.240.33,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:59 - TCP packet - Source:192.168.1.53,3129 ,LAN - Destination:209.226.175.76,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:59 - TCP packet - Source:192.168.1.53,3131 ,LAN - Destination:38.113.1.181,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:32:59 - TCP packet - Source:192.168.1.53,3133 ,LAN - Destination:65.54.191.188,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:33:00 - TCP packet - Source:192.168.1.53,3135 ,LAN - Destination:69.156.240.33,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:33:00 - TCP packet - Source:192.168.1.53,3137 ,LAN - Destination:69.156.240.33,110[POP3] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:33:01 - Device Received UDP Packet - Source:192.168.1.108,138,LAN - [Drop]
                    Fri, 2006-08-11 17:33:10 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2837
                    Fri, 2006-08-11 17:33:11 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2838
                    Fri, 2006-08-11 17:33:14 - Device Received UDP Packet - Source:192.168.1.109,137,LAN - [Receive]
                    Fri, 2006-08-11 17:33:17 - TCP packet - Source:192.168.1.7,1217 ,LAN - Destination:63.170.10.51,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:33:21 - TCP packet - Source:192.168.1.53,3138 ,LAN - Destination:65.54.191.188,995 ,WAN [Forward] - [Outbound Default rule match]
                    Fri, 2006-08-11 17:33:25 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2840
                    Fri, 2006-08-11 17:33:26 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2841
                    Fri, 2006-08-11 17:33:27 - Device Received UDP Packet - Source:192.168.1.108,137,LAN - [Receive]
                    Fri, 2006-08-11 17:33:41 - Device Received UDP Packet - Source:192.168.1.50,137,LAN - [Receive]
                    Fri, 2006-08-11 17:33:46 - Device Received UDP Packet - Source:192.168.1.53,137,LAN - [Receive]
                    Fri, 2006-08-11 17:33:57 - Device Received UDP Packet - Source:192.168.1.7,138,LAN - [Drop]
                    Fri, 2006-08-11 17:33:58 - Device Received UDP Packet - Source:192.168.1.54,137,LAN - [Receive]
                    Fri, 2006-08-11 17:34:03 - Device Received UDP Packet - Source:192.168.1.53,138,LAN - [Drop]
                    Fri, 2006-08-11 17:34:09 - Administrator Interface Connecting, from xxx.xxx.xxx.xxx:2842更多精彩文章及讨论,请光临枫下论坛 rolia.net
    • 为什么要纪录别人访问什么?