20Jan/11Off
Where can I find a free packet sniffer that can monitor all traffic on a LAN?
I'm looking for a free tool that will allow me to find out what the packets going through my LAN contain. I've used Wireshark, but I can only get it to monitor the traffic on my PC. I would like to be able to see all information that goes through the LAN.
January 20th, 2011 - 10:16
Ethereal in promiscuous mode.
It has filters too so that you can filter for particular ports.
Good luck.
January 20th, 2011 - 10:19
Ethereal is the old name for Wireshark and http://www.ethereal.com doesn’t work any more. In any case, Wireshark is the best packet sniffer money can buy and it’s free.
In order to get all the traffic on your LAN you need one of several things to happen. All of them are different ways of getting all of the traffic for the entire network on to your computer.
1. If your LAN is not a switched LAN then it simply sends all traffic to all computers on the network and trusts them to only accept traffic that is addressed to them. You can put your NIC in promiscuous mode and accept all traffic that you receive.
2. If your switch supports port mirroring then you will be able to configure it to send a copy of all traffic that passes through it to one particular port and put your Wireshark machine on this port. This tends to be limited to the higher end switches so if this is in your home network then forget about this method.
3. ARP spoofing and ARP poisoning. Every so often a message will go around the network say “Who has the IP address 192.168.0.1 ?”. If you respond that you have that address then the switch will send all the traffic for that IP address to you. This will mean that the original recipient won’t get the traffic they should have but it will also mean that you will have all the traffic on your wireshark machine. On a similar note, if you inject enough bogus ARP entries you can overload the switch and it may revert back to broadcasting messages as if it were a non-switched network.
4. Place the Wireshark machine in the route. I used have a small Linux box (486 given to me for free) that I used as a router and a NAT machine rather than having my modem do the NAT for me. If you had something like that then that machine could run Wireshark and would see all the traffic between the internet and any of the internal boxes. It would not, however, be able to see traffic between internal boxes.
It can also be very interesting and quite instructive to run Snort on a box in this position.