Windows Traffic Sniffer

I'm looking for a good windows traffic sniffer for a switched network.
As you already know, ethereal only does hubbed traffic sniffing.
I need it for network packet analysis.

I installed the ettercap interface for windows but to be frank, it
sucks!

jms504 Wrote:
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!
No way you can "just" sniff a switched network, as the packets are not
passing your computer. To be able to sniff on a switched network, you
need something to perform arp poisoning as well, which ettercap, hunt &
juggernauth can ( to name a few ).

Ethereal for windows is also fine to use, but there needs to be a
seperate program running which performs arp poisining ( like ARP0c/WCI
from www.phenoelit.de )

There are also more windows/user friendly tools for this, like cain &
able ( www.oxid.it ). Before doing anything i suggest to read up on arp
poisoning, just to see what it is you are doing ( aside from sniffing ),
since even cain & able is not doing it automagicly for you...

BTW, properly configured switches/routers can also prevent arp
poisoning and trigger some alerts.

----
xsr
08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
http://www.research-labs.net/

"jms504" <jms504@gmail.com> wrote in message
news:1124397086.944517.215980@g43g2000cwa.googlegr oups.com...
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!

Most sniffers are based on (Win)PCAP, in my experience - Ethereal is a
rather nifty front end (as long as you don't push it too far. *Never* run it
on a production box, just on a client machine. It occasionally goes "la la")
Ettercap is something that I've heard good things about, but...

A lot depends upon your infrastructure, but most modern Cisco switches can
be easily configured to provided sniffer info; even easier is to simply
introduce a hub at the direct internet connection (for small sites - SPF!);
I use this technique myself, and filter PCAP for the times (most of 'em)
when I'm not interested in (e.g.) ARP.

HTH

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

I'm aware of what ethereal/ettercap/ etc do.
I'm not some script kiddie.

I was just wondering if there is a better tool for Win other than
ettercap.
I've evaluated a few, but theyre not the least bit sufficient and I'm a
GUI guy.

It can trigger ALL the alerts it wants..i'm not a Black Hat. I'm just
doing a netmon assignment evaluating traffic passing into servers while
actively sniffing.

Right.
Ultimately what I am doing is trying to find a way to be able to sniff
traffic on the same subnet to a group of servers without having to go
to each server and set up a sniffer to log incoming packets. We have a
pretty good size network. Setting up a sniffer on each would be too
resource consuming.

>From my education(NSA-NSTISS-NIETP based) we worked with sniffers, but
the better ones were in a linux environment and we are strictly
windows.
Ettercap and the interfaces for linux provided me with some nice tools
however, the windows versions are buggy, and don't cut it.
Installing linux or running live linux isnt an option.
I'm trying to find an active sniffer that will be safe to run..as a
passive sniffer won't cut it..and bringing down the network would be a
bad thing..a VERY bad thing. I

Log analysis would not suffice..we need real time capture and analysis
at certain times.

This is quite the bitch.

On 18 Aug 2005 20:37:21 -0700, "jms504" <jms504@gmail.com> wrote:

>I'm aware of what ethereal/ettercap/ etc do.
>I'm not some script kiddie.
>
>I was just wondering if there is a better tool for Win other than
>ettercap.
>I've evaluated a few, but theyre not the least bit sufficient and I'm a
>GUI guy.
>
>It can trigger ALL the alerts it wants..i'm not a Black Hat. I'm just
>doing a netmon assignment evaluating traffic passing into servers while
>actively sniffing.

In that case: do the math :-)

100 Mbs network ?
nn hosts ?
Switch ? so: duplex.
Find yourself a 2 * nn * 100 Mbps capable solution and you can
watch tings from your chair.

Or: do what we all do :-)
(And that probably does not involve 'Windows' :-)

--
Kind regards,
Gerard Bok

Indeed a bitch getting assigned something but not allowed to use the
most suitable os for it...

Just realized, without arp poisoning, there is also another option of
remote sniffing. Analyzer and winpcap. I've never tried it myself but
those polito.it guys outline that with winpcap it is possible to
install some sort of sniffer daemon (rpcapd.exe), manageable with the
tool daemon_mgm.exe from winpcap.

They're analyzer ( http://analyzer.polito.it ) should be able to use
this daemon.

----
xsr
08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
http://www.research-labs.net/

jms504 Wrote:
> Right.
> Ultimately what I am doing is trying to find a way to be able to sniff
> traffic on the same subnet to a group of servers without having to go
> to each server and set up a sniffer to log incoming packets. We have a
> pretty good size network. Setting up a sniffer on each would be too
> resource consuming.
OK, so ignore my post about remote sniffing, heh. I've read this after
getting enthousiast about the remote sniffer daemon.

jms504 Wrote:
> ..and bringing down the network would be a
> bad thing..a VERY bad thing
When poisoning excisting connections usually get dropped, even if it
might take a second or less for the programs to reconnect. Unless these
programs require user intervention for re-establishing.

Considering this next to the mentioned hardware or (non-gui or gui)
tools, i don't know of a way to make it work on windows.
You could try arp-sk ( http://www.arp-sk.org/ ) but it is non-gui.
Cain & able combined with analyzer seems like the closed match to your
requirements, in my opinion. It seems like a bitch to add all the hosts
seperatelly into cain's APR, though.

Anyway, good luck with it.

----
xsr
08eb d563 c78f 85a9 2f4b 571b 9177 22e6 65ad ac05
http://www.research-labs.net/

jms504 wrote:
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!

Snort with MySQL and BASE. No GUI, but the results are in a web page (BASE)

If you can install a second NIC on the box, you can stealth it and pick up
more traffic on a switched LAN. It can also detect arp spoofing, blah
blah blah.

Snort: http://www.snort.org
MySQL: http://www.mysql.com
BASE: http://secureideas.sourceforge.net/
Snort on Win32: http://www.winsnort.com

"jms504" <jms504@gmail.com> wrote in message
news:1124397086.944517.215980@g43g2000cwa.googlegr oups.com...
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!
>

If you are using Cisco switches ask your network engineer or admin or
whoever to setup a SPAN port for you. I'm sure other vendors have a similar
feature in the even taht you are not using Cisco switches.

Ettercap is really desinged for windows, although cain & able might do
the trick.

Another option is to use cygwin to emulate *nix and put ettercap in
cygwin. You still may need winpcap, and though I've tried ettercap on
actual linux, and cygwin, I've never tried ettercap "in" cygwin before.

Good luck,
David

jms504 wrote:
> I'm looking for a good windows traffic sniffer for a switched network.
> As you already know, ethereal only does hubbed traffic sniffing.
> I need it for network packet analysis.
>
> I installed the ettercap interface for windows but to be frank, it
> sucks!
>