Home page logo

basics logo Security Basics mailing list archives

RE Sniffer - How's the best way to deploy ?
From: Francois Labreque <flabreq () ca ibm com>
Date: Tue, 11 Jul 2006 14:57:26 -0400

marcioacosta () gmail com a écrit sur 2006-07-10 22:39:23 :

Please someone could tell me the best practice to deploy a sniffer 
on the network?

Here is my scenario:

  I have PLC network that read some data from the assemble line and 
send to server which is located out of the site. Two or three time a
week we ?lost? your Ethernet connection, this is what the floor 
people said, the true is for some reason the data is not processed 
correctly and the assemble line stop for a while (3 min max).

 There are some technical root cause for that :

1- PLC is not working properly (not read or send data out)

2- Problem on LAN network 

3- Problem on the WAN network, ?cause there is MPLS could to reach the 

4- Problem on the server (busy)

 Our first step is to isolate the PLC possible issue, so we will 
deploy a sniffer on the Switch 2955 that this PLC network is 
connected to. To do that we?re going to put a desktop with Ethereal 
installed on one of empty port on this switch and mirror the PLC 
switch port to the desktop switch port.

 My doubt is: How?s the best way to do it ?

 -  I think this desktop must have two NIC, one with no ip 
configuration and other with ip configuration and also connected to 
another port that we can collect the data

Yes.  On a 2950 series of switches, the port that is monitoring can not 
receive "regular" packets at the same time, so you won't be able to 
remotely monitor that PC unless it has two nics, and you talk to it via 
the oter one.

-  What?s the best sniffer to harvest this kind of data? Ethereal?

Ethereal is more than enough to capture traffic, however, if there are 
cabling issues, specialized software or tools might be required.

-  How?s the best way to log this data? Is there any software for 
Windows to do it?

Ethereal is available for Windows.

This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]