Is it necessary to be connected to sniff traffic over a wired network?

Tags:
Network monitoring
Network security
Packet sniffers
Packet Sniffing
Sniffers
Is it necessary to be connected to sniff traffic over a wired network?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes it is.
==============
Take a look in my <a href=”http://itknowledgeexchange.techtarget.com/it-trenches”>IT-Trenches blog</a> at my series on network taps. There are some considerations though when connecting to a wired network for sniffing purposes.

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Kevin Beaver
    There are a lot of ways to handle this...What exactly are you trying to accomplish?
    16,860 pointsBadges:
    report
  • Rahul Shrivastava
    Actually the objective is that there should be no sniffing on a particular link which connects the firewall to the switch. Any suggestions? cheers. rahul.
    330 pointsBadges:
    report
  • Kevin Beaver
    Preventing sniffing can be tough unless you're using an IDS/IPS on the network. Essentially you have to have a way to detect network cards that are running in promiscuous mode. There's a tool out there called CPM (check promicuous mode) that can detect this but I'm not sure that's what you need. Looking at if from a different perspective, you can also setup static ARP entries in your switches to detect/prevent ARP poisoning (which often takes place in a sniffing "attack"). Also make sure your managed switches have strong passphrases so they can't be accessed and reconfigured by an internal attacker. Believe it or not, I see unprotected managed switches on networks all the time just waiting to be exploited for something like this.
    16,860 pointsBadges:
    report
  • Rahul Shrivastava
    Thanks for the feedback Kevin. But I am not quite sure how an IPS can prevent sniffing? or of any other ways to prevent it. It can be detected by detecting network cards that are running in promiscuous mode.
    330 pointsBadges:
    report
  • Snapper70
    Are you only concerned about the portion from the switch to the firewall? If that's on a switch, then the traffic is non-broadcasting and should only be on that link - so can't be sniffed elsewhere (unless someone has access to physically install something and reconnect on that link). However, the traffic DOES probably originate somewhere else. It may be possible for someone to sniff/capture at a client workstation, in which case they would only see traffic from that workstation to any of it's destinations, which may be a portion of the traffic to the firewall.
    920 pointsBadges:
    report
  • Kevin Beaver
    Certain IDSs/IPSs can detect ARP poisoning and network cards in promiscuous mode. That's probably overkill for what you need. Snapper70 has some good points. If it's only on a small network segment with no other hosts that plug in, you may be in the clear especially if things are physically locked down.
    16,860 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following