udp traffic cannot be sniffed

kevincw01 · External Since: Aug 03, 2007 Posts: 5

I am tasked with recording some udp messages between 2 windows
applications. I'm using a linux box with wireshark and tcpdump
installed. I am on the same physical switch(tried 2 different ones)
and have the same subnet and my ip is only different in the 4th octet
i.e. 192.168.1.xxx. The switch is not vlan'd or anything fancy, this
should be a no-brainer(or so i thought).

The applications are talking on port 7000 using udp. If I ran
wireshark on either of the windows boxes I see the traffic. But if I
run it from the linux box I see everything *but* this specific
traffic. If I filter on just port 7000 or just udp(or both), I get
nothing. Then I tried adding a third windows box and it could not see
the traffic either.

I might add that on the windows boxes where i can see the traffic in
wireshark, wireshark is incorrectly interpretting the protocol as "RX"
and it says its "malformed". But this is a proprietary(really simple)
protocol that happens to just use the same port as whatever RX does.
If I look at the hex, it is correct.

What the heck is going on and why can't I record this traffic?

-Kevin

Dave Uhring · External Since: Apr 17, 2004 Posts: 633

On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:

> I am tasked with recording some udp messages between 2 windows
> applications. I'm using a linux box with wireshark and tcpdump
> installed. I am on the same physical switch(tried 2 different ones) and
.....
> What the heck is going on and why can't I record this traffic?

Use a hub, not a switch.

kevincw01 · External Since: Aug 03, 2007 Posts: 5

On Aug 2, 8:17 pm, Dave Uhring <daveuhr... RemoveThis @yahoo.com> wrote:
> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
> > I am tasked with recording some udp messages between 2 windows
> > applications. I'm using a linux box with wireshark and tcpdump
> > installed. I am on the same physical switch(tried 2 different ones) and
> ....
> > What the heck is going on and why can't I record this traffic?
>
> Use a hub, not a switch.

I'm required to use a switch(and a specific one).

kevincw01 · External Since: Aug 03, 2007 Posts: 5

On Aug 3, 9:16 am, Christoph Scheurer <cyberf....DeleteThis@rebmatt.ch> wrote:
> kevincw01 schrieb:> On Aug 2, 8:17 pm, Dave Uhring <daveuhr....DeleteThis@yahoo.com> wrote:
> >> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
> >>> I am tasked with recording some udp messages between 2 windows
> >>> applications. I'm using a linux box with wireshark and tcpdump
> >>> installed. I am on the same physical switch(tried 2 different ones) and
> >> ....
> >>> What the heck is going on and why can't I record this traffic?
> >> Use a hub, not a switch.
>
> > I'm required to use a switch(and a specific one).
>
> If it is a managed switch, maybe you could set the port you use as
> monitoring port, so that all traffic on the switch is sent out on
> that port.
> If it is not a managed switch, you could use ettercap for
> arp-poisoning the switch, but better ask your administrator first.
>
> If none of these work, forget it.
>
> Greets
> Chris

I was thinking about the mirroring option. Is there some name or
standard this is normally called out as in a manual or spec? I want
to see if my switch supports this. Since I need to see traffic from
two ports, I'm guessing I would need to mirror two ports to two other
ports since it doesn't seem logical to be able to send 2GBps to a
1GBps port.

Christoph Scheurer · External Since: Apr 19, 2004 Posts: 40

kevincw01 schrieb:
> On Aug 2, 8:17 pm, Dave Uhring <daveuhr... RemoveThis @yahoo.com> wrote:
>> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
>>> I am tasked with recording some udp messages between 2 windows
>>> applications. I'm using a linux box with wireshark and tcpdump
>>> installed. I am on the same physical switch(tried 2 different ones) and
>> ....
>>> What the heck is going on and why can't I record this traffic?
>> Use a hub, not a switch.
>
> I'm required to use a switch(and a specific one).
>
If it is a managed switch, maybe you could set the port you use as
monitoring port, so that all traffic on the switch is sent out on
that port.
If it is not a managed switch, you could use ettercap for
arp-poisoning the switch, but better ask your administrator first.

If none of these work, forget it.

Greets
Chris

Rick Jones · External Since: Jun 13, 2005 Posts: 166

kevincw01 <kevin.DeleteThis@netkev.com> wrote:
> What the heck is going on and why can't I record this traffic?

To explicitly say what I don't think has been said explicitly, the
switch is doing precisely what a switch is supposed to do - provide
traffic isolation. So the traffic between the two Windows systems
only flows over the two ports of the switch to which they are
connected. That is what separates a switch from a hub.

rick jones
--
No need to believe in either side, or any side. There is no cause.
There's only yourself. The belief is in your own precision. - Jobert
these opinions are mine, all mine; HP might not want them anyway... Smile

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Pascal Hambourg · External Since: Oct 11, 2006 Posts: 186

Hello,

Christoph Scheurer a écrit :
> If it is not a managed switch, you could use ettercap for
> arp-poisoning the switch, but better ask your administrator first.

Huh ? What has ARP to do with a switch ?

Rick Jones · External Since: Jun 13, 2005 Posts: 166

Pascal Hambourg <boite-a-spam.TakeThisOut@plouf.fr.eu.org> wrote:
> Christoph Scheurer a ?crit :
> > If it is not a managed switch, you could use ettercap for
> > arp-poisoning the switch, but better ask your administrator first.

> Huh ? What has ARP to do with a switch ?

Perhaps Christoph meant to overflow the switch's fowarding tables and
got terms confused?

rick jones
--
The glass is neither half-empty nor half-full. The glass has a leak.
The real question is "Can it be patched?"
these opinions are mine, all mine; HP might not want them anyway... Smile

feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Christoph Scheurer · External Since: Apr 19, 2004 Posts: 40

Rick Jones schrieb:
> Pascal Hambourg <boite-a-spam.RemoveThis@plouf.fr.eu.org> wrote:
>> Christoph Scheurer a ?crit :
>>> If it is not a managed switch, you could use ettercap for
>>> arp-poisoning the switch, but better ask your administrator first.
>
>> Huh ? What has ARP to do with a switch ?
>
> Perhaps Christoph meant to overflow the switch's fowarding tables and
> got terms confused?
>
> rick jones

Right, I mixerd up two different things.
One is the ARP-Poisoning of the Hosts, so to get the Servers to send
Traffic targeted to Host2 gets sent to the wrong MAC-Address, where
it can be sniffed and forwarded to the right host.

Second is the one you said, overflooding the MAC-Cache and maybe
force the Switch to send traffic to all ports and therefoe acting
like a hub.

Am I right?

Chris

Pat Willms · External Since: Aug 04, 2007 Posts: 1

kevincw01 schrieb:
> On Aug 3, 9:16 am, Christoph Scheurer <cyberf... DeleteThis @rebmatt.ch> wrote:
>> kevincw01 schrieb:> On Aug 2, 8:17 pm, Dave Uhring <daveuhr... DeleteThis @yahoo.com> wrote:
>>>> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
>>>>> I am tasked with recording some udp messages between 2 windows
>>>>> applications. I'm using a linux box with wireshark and tcpdump
>>>>> installed. I am on the same physical switch(tried 2 different ones) and
>>>> ....
>>>>> What the heck is going on and why can't I record this traffic?
>>>> Use a hub, not a switch.
>>> I'm required to use a switch(and a specific one).
>> If it is a managed switch, maybe you could set the port you use as
>> monitoring port, so that all traffic on the switch is sent out on
>> that port.
>> If it is not a managed switch, you could use ettercap for
>> arp-poisoning the switch, but better ask your administrator first.
>>
>> If none of these work, forget it.
>>
>> Greets
>> Chris
>
> I was thinking about the mirroring option. Is there some name or
> standard this is normally called out as in a manual or spec? I want
> to see if my switch supports this. Since I need to see traffic from
> two ports, I'm guessing I would need to mirror two ports to two other
> ports since it doesn't seem logical to be able to send 2GBps to a
> 1GBps port.
>
When you now the vendor and/or the S/N -> http://www.google.com is the
right way to find the manual.
It should be possible that you forward all traffic (of both ports you
like to monitor) to _one_ port.

Axel Werner · External Since: Jul 11, 2007 Posts: 16

kevincw01 schrieb:
> I am tasked with recording some udp messages between 2 windows
> applications. I'm using a linux box with wireshark and tcpdump
> installed. I am on the same physical switch(tried 2 different ones)
> and have the same subnet and my ip is only different in the 4th octet
> i.e. 192.168.1.xxx. The switch is not vlan'd or anything fancy, this
> should be a no-brainer(or so i thought).
>
>
> What the heck is going on and why can't I record this traffic?
>
> -Kevin
>

i guess u suffer from using a SWITCHED network. since SWITCHES only
forward ethernet frames from SOURCE to TARGET but not to ALL connected
systems anymore. HUBs did that. Switches dont.

If u have a MANAGED SWITCH you can use PORT MIRRORING or MONITORING on a
specific port. then u can listen to that traffic. or you configure
your linux box as to be a transparent bridge and connect it within the
way of communication. or the dirty little trick, you can ARP SPOOF the
windows boxes and configure your linux as router to lead the packets
walk over the linux box instead to the normal default gateway.

the easiest thing would be to interconnect an old hub to one of those
machines and tap your linux box there.