udp traffic cannot be sniffed - Networking

This is a discussion on udp traffic cannot be sniffed - Networking ; I am tasked with recording some udp messages between 2 windows applications. I'm using a linux box with wireshark and tcpdump installed. I am on the same physical switch(tried 2 different ones) and have the same subnet and my ip ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: udp traffic cannot be sniffed

  1. udp traffic cannot be sniffed

    I am tasked with recording some udp messages between 2 windows
    applications. I'm using a linux box with wireshark and tcpdump
    installed. I am on the same physical switch(tried 2 different ones)
    and have the same subnet and my ip is only different in the 4th octet
    i.e. 192.168.1.xxx. The switch is not vlan'd or anything fancy, this
    should be a no-brainer(or so i thought).

    The applications are talking on port 7000 using udp. If I ran
    wireshark on either of the windows boxes I see the traffic. But if I
    run it from the linux box I see everything *but* this specific
    traffic. If I filter on just port 7000 or just udp(or both), I get
    nothing. Then I tried adding a third windows box and it could not see
    the traffic either.

    I might add that on the windows boxes where i can see the traffic in
    wireshark, wireshark is incorrectly interpretting the protocol as "RX"
    and it says its "malformed". But this is a proprietary(really simple)
    protocol that happens to just use the same port as whatever RX does.
    If I look at the hex, it is correct.

    What the heck is going on and why can't I record this traffic?

    -Kevin


  2. Re: udp traffic cannot be sniffed

    On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:

    > I am tasked with recording some udp messages between 2 windows
    > applications. I'm using a linux box with wireshark and tcpdump
    > installed. I am on the same physical switch(tried 2 different ones) and

    .....
    > What the heck is going on and why can't I record this traffic?


    Use a hub, not a switch.


  3. Re: udp traffic cannot be sniffed

    On Aug 2, 8:17 pm, Dave Uhring wrote:
    > On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
    > > I am tasked with recording some udp messages between 2 windows
    > > applications. I'm using a linux box with wireshark and tcpdump
    > > installed. I am on the same physical switch(tried 2 different ones) and

    > ....
    > > What the heck is going on and why can't I record this traffic?

    >
    > Use a hub, not a switch.


    I'm required to use a switch(and a specific one).


  4. Re: udp traffic cannot be sniffed

    kevincw01 schrieb:
    > On Aug 2, 8:17 pm, Dave Uhring wrote:
    >> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
    >>> I am tasked with recording some udp messages between 2 windows
    >>> applications. I'm using a linux box with wireshark and tcpdump
    >>> installed. I am on the same physical switch(tried 2 different ones) and

    >> ....
    >>> What the heck is going on and why can't I record this traffic?

    >> Use a hub, not a switch.

    >
    > I'm required to use a switch(and a specific one).
    >

    If it is a managed switch, maybe you could set the port you use as
    monitoring port, so that all traffic on the switch is sent out on
    that port.
    If it is not a managed switch, you could use ettercap for
    arp-poisoning the switch, but better ask your administrator first.

    If none of these work, forget it.

    Greets
    Chris

  5. Re: udp traffic cannot be sniffed

    On Aug 3, 9:16 am, Christoph Scheurer wrote:
    > kevincw01 schrieb:> On Aug 2, 8:17 pm, Dave Uhring wrote:
    > >> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
    > >>> I am tasked with recording some udp messages between 2 windows
    > >>> applications. I'm using a linux box with wireshark and tcpdump
    > >>> installed. I am on the same physical switch(tried 2 different ones) and
    > >> ....
    > >>> What the heck is going on and why can't I record this traffic?
    > >> Use a hub, not a switch.

    >
    > > I'm required to use a switch(and a specific one).

    >
    > If it is a managed switch, maybe you could set the port you use as
    > monitoring port, so that all traffic on the switch is sent out on
    > that port.
    > If it is not a managed switch, you could use ettercap for
    > arp-poisoning the switch, but better ask your administrator first.
    >
    > If none of these work, forget it.
    >
    > Greets
    > Chris


    I was thinking about the mirroring option. Is there some name or
    standard this is normally called out as in a manual or spec? I want
    to see if my switch supports this. Since I need to see traffic from
    two ports, I'm guessing I would need to mirror two ports to two other
    ports since it doesn't seem logical to be able to send 2GBps to a
    1GBps port.


  6. Re: udp traffic cannot be sniffed

    Hello,

    Christoph Scheurer a écrit :
    > If it is not a managed switch, you could use ettercap for
    > arp-poisoning the switch, but better ask your administrator first.


    Huh ? What has ARP to do with a switch ?

  7. Re: udp traffic cannot be sniffed

    Pascal Hambourg wrote:
    > Christoph Scheurer a ?crit :
    > > If it is not a managed switch, you could use ettercap for
    > > arp-poisoning the switch, but better ask your administrator first.


    > Huh ? What has ARP to do with a switch ?


    Perhaps Christoph meant to overflow the switch's fowarding tables and
    got terms confused?

    rick jones
    --
    The glass is neither half-empty nor half-full. The glass has a leak.
    The real question is "Can it be patched?"
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  8. Re: udp traffic cannot be sniffed

    kevincw01 wrote:
    > What the heck is going on and why can't I record this traffic?


    To explicitly say what I don't think has been said explicitly, the
    switch is doing precisely what a switch is supposed to do - provide
    traffic isolation. So the traffic between the two Windows systems
    only flows over the two ports of the switch to which they are
    connected. That is what separates a switch from a hub.

    rick jones
    --
    No need to believe in either side, or any side. There is no cause.
    There's only yourself. The belief is in your own precision. - Jobert
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  9. Re: udp traffic cannot be sniffed

    Rick Jones schrieb:
    > Pascal Hambourg wrote:
    >> Christoph Scheurer a ?crit :
    >>> If it is not a managed switch, you could use ettercap for
    >>> arp-poisoning the switch, but better ask your administrator first.

    >
    >> Huh ? What has ARP to do with a switch ?

    >
    > Perhaps Christoph meant to overflow the switch's fowarding tables and
    > got terms confused?
    >
    > rick jones


    Right, I mixerd up two different things.
    One is the ARP-Poisoning of the Hosts, so to get the Servers to send
    Traffic targeted to Host2 gets sent to the wrong MAC-Address, where
    it can be sniffed and forwarded to the right host.

    Second is the one you said, overflooding the MAC-Cache and maybe
    force the Switch to send traffic to all ports and therefoe acting
    like a hub.

    Am I right?

    Chris

  10. Re: udp traffic cannot be sniffed

    kevincw01 schrieb:
    > On Aug 3, 9:16 am, Christoph Scheurer wrote:
    >> kevincw01 schrieb:> On Aug 2, 8:17 pm, Dave Uhring wrote:
    >>>> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
    >>>>> I am tasked with recording some udp messages between 2 windows
    >>>>> applications. I'm using a linux box with wireshark and tcpdump
    >>>>> installed. I am on the same physical switch(tried 2 different ones) and
    >>>> ....
    >>>>> What the heck is going on and why can't I record this traffic?
    >>>> Use a hub, not a switch.
    >>> I'm required to use a switch(and a specific one).

    >> If it is a managed switch, maybe you could set the port you use as
    >> monitoring port, so that all traffic on the switch is sent out on
    >> that port.
    >> If it is not a managed switch, you could use ettercap for
    >> arp-poisoning the switch, but better ask your administrator first.
    >>
    >> If none of these work, forget it.
    >>
    >> Greets
    >> Chris

    >
    > I was thinking about the mirroring option. Is there some name or
    > standard this is normally called out as in a manual or spec? I want
    > to see if my switch supports this. Since I need to see traffic from
    > two ports, I'm guessing I would need to mirror two ports to two other
    > ports since it doesn't seem logical to be able to send 2GBps to a
    > 1GBps port.
    >

    When you now the vendor and/or the S/N -> http://www.google.com is the
    right way to find the manual.
    It should be possible that you forward all traffic (of both ports you
    like to monitor) to _one_ port.

  11. Re: udp traffic cannot be sniffed

    kevincw01 schrieb:
    > I am tasked with recording some udp messages between 2 windows
    > applications. I'm using a linux box with wireshark and tcpdump
    > installed. I am on the same physical switch(tried 2 different ones)
    > and have the same subnet and my ip is only different in the 4th octet
    > i.e. 192.168.1.xxx. The switch is not vlan'd or anything fancy, this
    > should be a no-brainer(or so i thought).
    >
    >
    > What the heck is going on and why can't I record this traffic?
    >
    > -Kevin
    >


    i guess u suffer from using a SWITCHED network. since SWITCHES only
    forward ethernet frames from SOURCE to TARGET but not to ALL connected
    systems anymore. HUBs did that. Switches dont.

    If u have a MANAGED SWITCH you can use PORT MIRRORING or MONITORING on a
    specific port. then u can listen to that traffic. or you configure
    your linux box as to be a transparent bridge and connect it within the
    way of communication. or the dirty little trick, you can ARP SPOOF the
    windows boxes and configure your linux as router to lead the packets
    walk over the linux box instead to the normal default gateway.

    the easiest thing would be to interconnect an old hub to one of those
    machines and tap your linux box there.


+ Reply to Thread