Ryan P. Sommers
ryans at rpsommers.com
Fri Sep 9 07:37:30 PDT 2005
I'm attempting to setup a few systems such that I can sniff traffic to and
from one computer. One requirment is this has to be as portable as
possible. I obtained a "hub" and setup the target and the sniffing system.
However, the sniffing system was not able to see all traffic to/from the
target. The lights on the hub blinked over the uplink (internet) and the
target, but not the sniffer. Next I tried my laptop as the sniffer
(7-CURRENT, had tried both a Windows laptop and a laptop booted off a
Linux live-filesystem). I was able to spoof the MAC address and IP on the
sniffer (freebsd) and set monitor mode for the interface. However, I still
was not able to see traffic to/from the target. The whole time though I
have been able to, of course, see broadcast traffic.
With the spoofed ip/mac though if I unplug the hub and then plug it back
in, or periodically when leaving it plugged in, the sniffer will get a
brief glimpse at a packet or two that was sent to the target system. This
suggests to me the "hub" is learning, somehow. My question though is how?
I took the sniffer out of monitor mode and generated a few ARP packets by
pinging unused IPs. I also ran ethereal on the target. The target saw the
ARPs generated by the sniffer system and the source address was correct,
it was the mac address both systems were using. How is the hub able to
tell these systems apart?
Hub in question is a linksys NH1005 v2.
All this was done at 100mbit full-duplex. Freebsd laptop nic won't drop to
half and I'm not sure how to force linux (target's os) to use anything
other than it's auto-config.
PS If anyone knows of a hub that's "easy" to find and still is an actuall
good 'ol hub, let me know.
ryans < a_t > rpsommers.com
(obsolete: ryans at gamersimpact.com)
More information about the freebsd-hackers