Is it necessary to be connected to sniff traffic over a wired network?
Home > IT Answers > Security > Is it necessary to be connected to sniff traf...
Rahul Shrivastava
330 pts.
0
Q:
Is it necessary to be connected to sniff traffic over a wired network?
Packet sniffers, Packet Sniffing, Sniffers, Network security, Network monitoring
Is it necessary to be connected to sniff traffic over a wired network?
ASKED: Jan 9 2009  7:09 AM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Labnuke99
26245 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Yes it is.
==============
Take a look in my IT-Trenches blog at my series on network taps. There are some considerations though when connecting to a wired network for sniffing purposes.
Last Answered: Jan 9 2009  6:05 PM GMT by Labnuke99   26245 pts.
Latest Contributors: Technochic   40210 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

KevinBeaver   7610 pts.  |   Jan 14 2009  8:36PM GMT

There are a lot of ways to handle this…What exactly are you trying to accomplish?

 

Rahul Shrivastava   330 pts.  |   Jan 15 2009  8:42AM GMT

Actually the objective is that there should be no sniffing on a particular link which connects the firewall to the switch. Any suggestions?

cheers. rahul.

 

KevinBeaver   7610 pts.  |   Jan 15 2009  10:35PM GMT

Preventing sniffing can be tough unless you’re using an IDS/IPS on the network. Essentially you have to have a way to detect network cards that are running in promiscuous mode. There’s a tool out there called CPM (check promicuous mode) that can detect this but I’m not sure that’s what you need.

Looking at if from a different perspective, you can also setup static ARP entries in your switches to detect/prevent ARP poisoning (which often takes place in a sniffing “attack”). Also make sure your managed switches have strong passphrases so they can’t be accessed and reconfigured by an internal attacker. Believe it or not, I see unprotected managed switches on networks all the time just waiting to be exploited for something like this.

 

Rahul Shrivastava   330 pts.  |   Jan 20 2009  6:51AM GMT

Thanks for the feedback Kevin. But I am not quite sure how an IPS can prevent sniffing? or of any other ways to prevent it. It can be detected by detecting network cards that are running in promiscuous mode.

 

Snapper70   540 pts.  |   Jan 20 2009  6:01PM GMT

Are you only concerned about the portion from the switch to the firewall? If that’s on a switch, then the traffic is non-broadcasting and should only be on that link - so can’t be sniffed elsewhere (unless someone has access to physically install something and reconnect on that link).

However, the traffic DOES probably originate somewhere else. It may be possible for someone to sniff/capture at a client workstation, in which case they would only see traffic from that workstation to any of it’s destinations, which may be a portion of the traffic to the firewall.

 

KevinBeaver   7610 pts.  |   Jan 21 2009  12:52AM GMT

Certain IDSs/IPSs can detect ARP poisoning and network cards in promiscuous mode. That’s probably overkill for what you need. Snapper70 has some good points. If it’s only on a small network segment with no other hosts that plug in, you may be in the clear especially if things are physically locked down.

 
0