I have a really basic question (I think). We have two boxes connected to a lan segment on a hub. One is a Windows box running "Show Traffic", the other is a CentOS 5 Linux box running "ntop". Both boxes should be able to sniff all of the traffic on that hub (not a switch). The Windows box does just fine, Show Traffic is able to display traffic destined for other boxes on the network segment. The linux box, OTOH, seems to only see multicast traffic and traffic that is destined for its interface. ... So the question is: Is it possible that I have locked down the firewall settings in such a way as to block packets not destined for the interface? (Everything else on the box works fine. Shorewall / netfilter is doing its job quite well.) ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> I have a really basic question (I think). We have two boxes connected > to a lan segment on a hub. One is a Windows box running "Show Traffic", > the other is a CentOS 5 Linux box running "ntop". Both boxes should be > able to sniff all of the traffic on that hub (not a switch). > > The Windows box does just fine, Show Traffic is able to display traffic > destined for other boxes on the network segment. > > The linux box, OTOH, seems to only see multicast traffic and traffic > that is destined for its interface. > > ... > > So the question is: Is it possible that I have locked down the firewall > settings in such a way as to block packets not destined for the interface? > > (Everything else on the box works fine. Shorewall / netfilter is doing > its job quite well.)Are you really sure your CentOS 5 interfaces are running in promiscuous mode? But, my first idea was: What kind of hub do you use? If you are using a dualspeed hub and you run boxes with different ethernet speeds, then what you see is expected. Dualspeed hubs are switching between the 10M and 100M ports, they only work like ''hubs'' if all port have the same speed. Simon ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Thu, Jan 17, 2008 at 08:37:55AM +0100, Simon Matter wrote:> > I have a really basic question (I think). We have two boxes connected > > to a lan segment on a hub. One is a Windows box running "Show Traffic", > > the other is a CentOS 5 Linux box running "ntop". Both boxes should be > > able to sniff all of the traffic on that hub (not a switch). > > > > The Windows box does just fine, Show Traffic is able to display traffic > > destined for other boxes on the network segment. > > > > The linux box, OTOH, seems to only see multicast traffic and traffic > > that is destined for its interface. > > > > ... > > > > So the question is: Is it possible that I have locked down the firewall > > settings in such a way as to block packets not destined for the interface? > > > > (Everything else on the box works fine. Shorewall / netfilter is doing > > its job quite well.) > > Are you really sure your CentOS 5 interfaces are running in promiscuous mode?Note that there do exist a small number of network cards which can''t, although they should be rare nowadays. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Simon Matter wrote: >> Are you really sure your CentOS 5 interfaces are running in promiscuous mode?> I''m about 90% sure. When the box restarts, there''s a message in /var/log/messages that the NIC is entering promiscuous mode. However, when you look at ifconfig, the PROMISC flag on the card is NOT set. Which I think is a known kernel bug with libpcap? Supposedly fixed in 2.6.20(?), which I haven''t seen show up yet in CentOS 5. Linux version 2.6.18-53.1.4.el5 (mockbuild@builder6.centos.org) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)) If I manually set PROMISC mode from the command line, the flag shows up properly when I look at it with /sbin/ifconfig. But libpcap still doesn''t see other traffic on the hub.> But, my first idea was: What kind of hub do you use? If you are using a > dualspeed hub and you run boxes with different ethernet speeds, then what > you see is expected. Dualspeed hubs are switching between the 10M and 100M > ports, they only work like ''hubs'' if all port have the same speed.It''s a 3com 10/100 dual-speed hub, so that is a concern. The outbound T1 device is a 10Mbit NIC, everything else is a 100Mbit NIC. The Windows box running the show traffic monitor is connecting at 100Mbit and can see all of the other traffic (the linux box was also connecting at 100Mbit). I''ve tried changing the linux NIC to 10Mbit mode (and the lights on the front of the switch confirm that mode when I went and looked today). But it doesn''t seem to make a difference. ... Other notes: - The NIC in question is a dual-port Intel PRO/1000 PCIe x4 card. So I''d expect it to have good linux drivers. Or at least, I''d be surprised to find out that it can''t be put into PROMISC mode. - I may (next week) swap the cables between the LAN/WAN side. The LAN side is using the motherboard NIC (not sure what make/model offhand). Or I may get a cheap PCIe 1x NIC and try that. - Hopefully, I get to set up the sister box with an identical configuration next week which will give me a lot more flexibility to play with settings. (The current box is in use, so there are limits to what I can do to it.) - I also plan on taking in an Ubuntu laptop to hook in to that 10/100 hub and see whether I can capture packets that way. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
These days _everything''s_ a "switch" ...even the
things that say "hub" don''t match what we think of as
the technical meaning of that term. Putting the NIC
into promiscuous mode won''t help because the packets
aren''t there in the first place. 10/100 makes things
even worse, but they were already pretty bad.
This makes sniffing anything other than your own (and
broadcast) traffic difficult. That''s probably why
"sniffers" aren''t so common any more. If possible run
the sniffer _on_ the machine of interest. But if
that''s not possible, what can you do?
For starters, look at "sniffer" websites, most of
which cover this problem in great gory detail and
suggest all kinds of kludges. Since this is _the_#1_
problem with sniffing, coverage tends to be extensive.
Some options:
1) Use a very old hub that''s "stupid" (or maybe a mini
"hub" that was real real real cheap several years
ago).
2) Get out your soldering iron and build a custom
connector.
3) If your netstack is a bank of switches, find the
manual and see how to put a port into "monitor" mode
so it stops acting like a switch and repeats all the
packets anywhere in the netstack. Almost all good
quality devices can do this ...if you find the manual
and determine the right incantation.
thanks!
-Chuck Kollars
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Chuck Kollars wrote:> 3) If your netstack is a bank of switches, find the > manual and see how to put a port into "monitor" mode > so it stops acting like a switch and repeats all the > packets anywhere in the netstack. Almost all good > quality devices can do this ...if you find the manual > and determine the right incantation.Thanks (I haven''t been back in the office this week to test things out like I wanted). In this case, even though everything may be a switch, I''m still trying to figure out why my Windows server box can see everything on the 10/100 dual-speed hub while the Linux box can''t. If it wasn''t for that fact (if not even the Windows box could do it), then I''d think that it was the fault of the 10/100 hub. But in this case I think I''m up against either a firewall issue, an issue with PROMISC mode on 2.6.18 kernels, or issues with the Intel PRO/1000 NIC driver. Ultimately, my solution may indeed be to pickup a relatively inexpensive 8/12/16 port switch (probably 3com) and shove the linux box on a port configured with monitor mode. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thomas Harold wrote:> I have a really basic question (I think). We have two boxes connected > to a lan segment on a hub. One is a Windows box running "Show Traffic", > the other is a CentOS 5 Linux box running "ntop". Both boxes should be > able to sniff all of the traffic on that hub (not a switch). > > The Windows box does just fine, Show Traffic is able to display traffic > destined for other boxes on the network segment. > > The linux box, OTOH, seems to only see multicast traffic and traffic > that is destined for its interface. >The follow-up answer to this issue was that it seems that the Intel PRO/1000 dual-port PCIe card does indeed not function correctly in promiscuous mode when connected to a 100Mbps hub. (In this particular case, it was hooked to a 10/100 dual-speed hub. The windows box was running a 100Mbps NIC and had no issues capturing all traffic.) We swapped out the 10/100 dual-speed hub and have installed a 10/100/1000 switch. We configured port 1 as our "monitoring" / "sniffing" port and told the switch to mirror all inbound/outbound traffic to that port. Our server with the Intel dual-port gigabit PCIe NIC is now able to report on all traffic with ntop (and other tools). Shorewall was not getting in the way at all, it seems to be purely a hardware or driver issue under Linux. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Robert K Coffman Jr. -Info From Data Corp.
2008-Apr-01 13:51 UTC
Re: Netfilter, libpcap, ntop and promiscuous mode?
>The follow-up answer to this issue was that it seems that the IntelPRO/1000 dual-port PCIe card does indeed not function correctly in promiscuous mode when connected to a 100Mbps hub. (In this particular One thing to consider is that the traffic on a dual speed hub is actually segmented (via a switch) so in reality you end up with a 10mb hub, and a 100mb hub, that do not share a collision domain (ie. If you were trying to sniff 10mb traffic from a 100mb device I think you would have gotten this same result. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace