Sniffing data from a switch - networking

I have 2 network devices that talk to each other over Ethernet. I would like to sniff the traffic using Wireshark. But the devices are going through a switch. The switch routes the traffic to only the ports that need the data.
At another location I have a hub. All the traffic is repeated across all the ports.
Is there a way to tell the switch to send the traffic down my port also?
EDIT: This is an unmanaged switch.

You might want to look into ARP spoofing.
http://en.wikipedia.org/wiki/ARP_poisoning

Since this is an unmanaged switch, the only way that I can think of is to temporarily put a hub between the switch and one of the devices you want to monitor, then plug a laptop into that hub to do the monitoring. The laptop should now see all traffic between the device and the switch.
This is pretty easy since you can do it at the location of one of the devices. You just need a hub, two more lengths of CAT cable and the computer you are using to monitor with.

The switch may have a management interface that lets you do that. Be warned that if you do, you'll wreck performance on the switch since everything attached to it will now have to deal with collisions.

If the switch is a managed switch, it likely has a mode to act like a hub. Just be careful not to leave it like that.
Some will also have ways to mirror ports and such as well. You need to find out what kind of switch it is.
RE Edit: If it is unmanaged, then you are boned. Use a hub, a managed switch or run wireshark on the computer(s) affected.

You could try a port redirector, like this one. You would configure one device to talk to your computer instead of the other device, and the redirector will send the data to the real target. There are several programs like this out there, or you could write your own.

Related

Why can't I run two USB serial adaptors on the same machine?

My work involves interacting with legacy hardware that uses serial ports. I often have to monitor more than one serial line, and for the purpose I have a couple of the common USB serial adaptors. When I connect both of them to the same (Windows 10) machine, irregularities show up. Both ports show up in device manager, but only the first one that I plug in to the USB connector works. The other one indicates port not open when I try to send data via RealTerm.
I have also seen the situation where when I plug the second adaptor in, its port comes up, but the one for the other adaptor disappears. Does anyone know a way that two devices can happily coexist on the one machine? Thanks in advance.
Just ion case this helps anyone in the future......
The problem seems to be caused by the fact that one of the adaptors was coming in via a (powered) USB hub. When I liberated another native port on the machine so I could host both serial adaptors directly, everything worked fine.
Not worth hunting the cause down, a solution is at hand.

How to find nodemcu (esp8266 + arduino) with dynamic IP (DHCP)?

I would like to connect the nodemcu to some LEDs, running a HTTP server (RESTful presumably) and turn on/off accordingly. However, how can the devices in the same network find the device? I guess I could try static IP for esp8266, but that is not guarantee to work every time everywhere. So how can I scan the network to find that, or is there any better solution?
I think most people use multicast DNS (mdns) for this, a quick Google should give you some examples for the environment you use :)
I like using MQTT, which is a different protocol that uses a central broker, but it's probably not quite what you want.
Also, why would a fixed IP not work? Most routers allow to assign one based on MAC address, which should work consistently.
And finally, you should be able to set a hostname for the ESP (wifi_station_set_hostname in the ESP SDK, which I think you can call from Arduino also), which should make it known with your router under that name.
I set my DHCP server to always give the same IP address to my NodeMCUs based on their MAC addresses. They are also configured with mDNS but I don't have mDNS on my Android phone so it didn't help me.

Windows networking using only Ethernet Frames

I'm doing a project where I must write a network library for a device connected to a Windows machine. The complication comes in that I may only communicate with the device using ethernet frames. So there is no TCP/UDP/IP at all. I don't think the bind/listen/accept approach can be applied here, but maybe I am wrong. Also, there is no routing or switching involved.
I have a few questions. How do I use a socket to communicate with this device? Does winsock have any support for just frames? I haven't been able to find many resources on this. Does anyone have any ideas about how I should proceed?
Is using sockets even a good idea or can I just send out the information with the appropriate headers?
Use WinPCap, it has an an API to send and listen to raw data.
You can build your communicate layer with it.
Give the WinAoE code a look-see - it says it lets Windows talk to ATA over Ethernet devices which means it has to communicate without any of the upper layers of the network stack.
Edited:
As near as I can tell, if you want to send raw ethernet frames, you want NdisSend and friends.
As well as winpcap and NDIS you could also look at raw sockets which are a standard part of the Windows API and don't require you to write driver code http://msdn.microsoft.com/en-us/library/ms740548(v=vs.85).aspx.

How can I discover if there are other devices on my local sub-net?

I'm trying to confirm a user a unplugged my embedded device from a network before performing some maintenance. I'm considering "ping"ing all IP address on my sub-net, but that sounds crude. Is there a broadcast/ARP method that might work better?
You can try a broadcast ping (this is from linux):
ping -b 255.255.255.255
Another option is to download Nmap and do a ping-scan.
You could use nmap. It's still crude, but at least it's using a tool designed to do it so you don't have to spend time on it.
If you can't get reliable link state information from your Ethernet device (which most chipsets should support these days, BTW...), sending an ARP request for each IP on your local subnet is a decent substitute. The overhead is minimal, and as soon as you get a single response, you can be sure you're still connected to a network.
The only possible problem I see here, is that if your device is on a /8 subnet, it can take quite a while to loop through all 4294967296 possible IPs. So, you may want to consider some optimization, such as only sending ARP requests for your default gateway, as well as all IPs currently in your ARP table.
If there's a peer you know you were connected to recently you could try pinging or arping that first. That could cut down on the traffic you're generating.
you could also run tcpdump -n to see what's active on the network too.
Not receiving any responses to ICMP pings or ARP requests is not a 100% guarantee that there's no network connection. For instances, there might be devices on the network that are firewalled off.
EDIT: May be you could access some lower-level information on your embedded device to check whether the network interface has its link up without actually sending any data.
Is there any chance that your device supports UPnP or Bonjour? Beside of the low-level protocols your should also have a look at these protocols which support some kind of plug-&-Play functionality. A UPnP device for example sends a message on the LAN before it is switched off (though, this doesn't help if it is just removed by unplugging it...).

Sniffing network traffic for signs of viruses/spyware

How can I connect a system to a network and sniff for virus/spyware related traffic? I'd like to plug in a network cable, fire up an appropriate tool sand have it scan the data for any signs of problems. I don't expect this to find everything, and this is not to prevent initial infection but to help determine if there is anything trying to actively infect other system/causing network problems.
Running a regular network sniffer and manually looking through the results is no good unless the traffic is really obvious,but I havn't been able to find any tool to scan a network data stream automatically.
I highly recommend running Snort on a machine somewhere near the core of your network, and span (mirror) one (or more) ports from somewhere along your core network path to the machine in question.
Snort has the ability to scan network traffic it sees, and automatically notify you via various methods if it sees something suspicious. This could even be taken further, if desired, to automatically disconnect devices, et cetera, if it finds something.
Use snort: An open source network intrusion prevention and detection system.
Wireshark, formerly ethereal is a great tool, but will not notify you or scan for viruses. Wireshark is a free packet sniffer and protocol analyzer.
Use the netstat -b command to see which processes have which ports open.
Use CPorts to see a list of ports and the associated programs, and have the ability to close those ports.
Download a free anti-virus program such as free AVG.
Setup your firewall more tightly.
Setup a gateway computer to let all network traffic go through. Take the above recommendataions to the gateway computer instead. You will be checking your whole network instead of just your one computer.
You can make Snort scan traffic for viruses. I think this will be the best solution for you.
For watching local network traffic your best bet (with a decent switch) is to set your switch to route all packets out a specific interface (as well as whatever interface it would normally send). This lets you monitor the entire network by dumping traffic down a specific port.
On a 100 megabit network, however, you'll want a gigabit port on your switch to plug it into, or to filter on protocol (e.g. trim out HTTP, FTP, printing, traffic from the fileserver, etc.), or your switch's buffers are going to fill up pretty much instantly and it'll start dropping whatever packets it needs to (and your network performance will die).
The problem with that approach is that most networks today are on switches, not hubs. So, if you plug a machine with a packet sniffer into the switch, it will only be able to see traffic to and from the sniffing machine; and network broadcasts.
As a followup to Ferruccio's comment you will need to find some method of getting around your switches.
A number of network switches have the option of setting up port mirrors, so that all traffic (regardless of the destination) will be copied, or "mirrored", to a nominated port. If you could configure your switch to do this then you would be able to attach your network sniffer here.
Network Magic, if you don't mind something that's not open source.
You can use an IDS, hardware or software
http://en.wikipedia.org/wiki/Intrusion-detection_system

Resources