Windows network/packet sniffers

The network is the forum.

Moderators: Steel, notfred

Postposted on Tue Jan 08, 2002 6:45 am

Well, I thought I ran a relatively tight ship with my network at home... at least tight enough to not really need the hardcore networking security tools. I just found NADAEMON (stupid spying digital rights management bozos) on a box in my house that was having problems with using IRC/IM/WindowsUpdate. The worst part is, it wasn't caught by anything including AdAware.

Which brings me to my question. Can anyone recommend a good free or cheap Windows NT based sniffer for the network here? I think it's time to start cracking down on my network traffic. (I know a Linux solution will likely be suggested as well, but it isn't a viable option at the moment as long as I have the job and budget that I do.)

<font size=-1>[ This Message was edited by: Darth Willis on 2002-01-08 05:48 ]</font>
Darth Willis
Gerbil
 
Posts: 36
Joined: Wed Dec 26, 2001 7:00 pm
Location: somewhere around Nashville

Postposted on Tue Jan 08, 2002 8:17 am

Please describe your home network.
Despite
Gerbil XP
 
Posts: 496
Joined: Thu Dec 27, 2001 7:00 pm
Location: Oklahoma

Postposted on Tue Jan 08, 2002 10:30 am

I was going to go the 'preach Linux' route, but I'm being good today, just spectating. :smile:
Forge
Lord High Gerbil
Silver subscriber
 
 
Posts: 8061
Joined: Wed Dec 26, 2001 7:00 pm
Location: SouthEast PA

Postposted on Tue Jan 08, 2002 11:05 am

Four boxen, Win2K sp2 on all (two directly in my control, two indirectly but should really be more active in now), Linksys broadband router, static IP config. Anything else?

<b>Forge</b>, I appreciate the restraint. I do still want to convert to Linux one of these days, but I can't as long as I work for a company that (insert whiny idiot voice here) realllyyyyy waaahnts usss to ussseee Offficcceeee forr evvverythinnngggg (end whiny voice) as well as make us use NT proprietary software and keep us time poor. You remember a few months ago? I got Mandrake running, but never got the opportunity to use it, and the time spent in cls screwed me up at work for weeks when doing work in dos. Heh.
It's not that I'm lazy, it's that I just don't care.
Darth Willis
Gerbil
 
Posts: 36
Joined: Wed Dec 26, 2001 7:00 pm
Location: somewhere around Nashville

Postposted on Tue Jan 08, 2002 11:37 am

Many of the ones available for linux have been ported to windows.

netcat- http://www.atstake.com/research/tools/i ... _utilities

snort- http://www.snort.org

In any case- go to http://www.securityfocus.com/cgi-bin/tools.pl and check out a complete list and get which one's best for you.


<font size=-1>[ This Message was edited by: lllama on 2002-01-08 10:38 ]</font>
lllama
Gerbil
 
Posts: 14
Joined: Tue Jan 01, 2002 7:00 pm
Location: the bit bucket

Postposted on Tue Jan 08, 2002 12:19 pm

wait a sec, is this for at home or at work? do you have any spare hardware laying about that can be pressed into service as a transparent bridge? I guess maybe I don't fully understand your question. Do you mean to run some sort of sniffer on each host?
Despite
Gerbil XP
 
Posts: 496
Joined: Thu Dec 27, 2001 7:00 pm
Location: Oklahoma

Postposted on Tue Jan 08, 2002 1:25 pm

Despite, it's for my home network. I'm open to doing either or, whichever is quickest to push into service. I've got some ancient K6-233 guts kicking around, but no case at the moment (although in a pinch, a cardboard box can do to keep the cats out). I'm basically looking for a quick and dirty solution until I have some real free time to research and do things right... especially since fully secure networking isn't one of my strongest points. I'm more of a hardware monkey that's quickly falling behind because of a dead-end field circus job. I swear I used to know more, but I think it was pushed out by managerial BS. :wink:
Darth Willis
Gerbil
 
Posts: 36
Joined: Wed Dec 26, 2001 7:00 pm
Location: somewhere around Nashville

Postposted on Tue Jan 08, 2002 1:30 pm

Connect the PC's using a hub (not a switch) and run the NIC (i.e. one computer for the whole network) doing the sniffing in promiscuous mode. Won't help you from the block traffic perspective, but this should be the fastest way to at least see what's going on. If you're on a switched network, you might have to run it on all the machines unless something like ettercap exists for windows (check my earlier link).
lllama
Gerbil
 
Posts: 14
Joined: Tue Jan 01, 2002 7:00 pm
Location: the bit bucket

Postposted on Tue Jan 08, 2002 1:52 pm

okay then, since you don't want to hear me push linux, I won't. Use OpenBSD instead. :wink: Seriously, running a transparent bridge with OpenBSD is pretty simple. That's even one of the examples they go through on the networking faq. And that "ancient" machine you mentioned would be plenty for what you want to do. I run my home network through a K6-200 running OpenBSD and it only adds a millisecond or so to the latency, so even if you're a gamer you shouldn't mind too much. Another thing for which I prefer OpenBSD over linux is the install size. I can easily get it installed in under 400 megs, but I never can seem to get a RedHat install anywhere near that small. Probably I should try Slackware but they don't seem to keep it updated enough for me... Anyhoo, where was I? Oh yeah, if you run a transparent bridge, you can implement rules to pass or block traffic based on your own criteria, something you obviously can't do with a separate node running in promiscuous mode. I don't want to sound like a zealot or anything, but you really should check out http://www.openbsd.org If you're anal about security (and I am) it's a lovely OS right out of the box.

<font size=-1>[ This Message was edited by: Despite on 2002-01-08 12:54 ]</font>
Despite
Gerbil XP
 
Posts: 496
Joined: Thu Dec 27, 2001 7:00 pm
Location: Oklahoma

Postposted on Tue Jan 08, 2002 5:28 pm

lllama, I appreciate the advice... I've been looking over Snort actually. Might do what I need, however it requires putting up a new box. I'd heard of ettercap as well but was a little wary due to security issues.

Speaking of a new box... Despite, I'm much oblidged for the smack around with reality bit. It's starting to look like the only way to go is to do it right from the beginning and throw a *nix box in. Here's hoping work will lay off of me enough to do this the next few days. I'll seriously look into OpenBSD. Any chance I can consult with you if I go this route and hit any snafus? :grin:

And since I'm seriously considering going this route, and I'm sure Forge is just chomping at the bit... I'd love to hear your two cents on the issue, as well as anyone else's. Thanks for the help everyone. :smile:
Darth Willis
Gerbil
 
Posts: 36
Joined: Wed Dec 26, 2001 7:00 pm
Location: somewhere around Nashville

Postposted on Wed Jan 09, 2002 8:47 am

Darth Willis, I will be happy to help in any way I can. You probably won't need it though; the OpenBSD faqs and man pages are extremely well written. But if you find that you do need help, or just want to compare notes on firewalling strategies, then ask in here or maybe in "Linux, Unix, and Assorted Madness" if that's more appropriate, and I assure you that you'll find people eager to help out.
Despite
Gerbil XP
 
Posts: 496
Joined: Thu Dec 27, 2001 7:00 pm
Location: Oklahoma


Return to Networking

Who is online

Users browsing this forum: Yahoo [Bot] and 2 guests