Transcript Wireshark - Remote Assistance | RKL eSolutions

Wireshark – What is it?
Wireshark is the world's foremost network protocol analyzer, and
is the de facto (and often de jure) standard across many industries
and educational institutions.
Wireshark development thrives thanks to the contributions of
networking experts across the globe. It is the continuation of a
project that started in 1998.
Formerly known as Ethereal
What’s Needed?
• Hub
• Switch with monitor port
• Wireshark
– www.wireshark.org/
Features
•
•
•
•
Ability to inspect hundreds of protocols
Capture & Analyze traffic in real-time
Works with Window, Linux, OS X
Import from tcpdump, Microsoft Network
Monitor
What can’t you do?
• Dual-speed hub warning
– Note that "dual-speed" hubs that support both 10MBit and 100MBit ports
might not send all unicast traffic between 10MBit and 100MBit ports; if so,
you can only capture all traffic between hosts whose Ethernet interfaces are
both running at the same speed as the Ethernet interface on the machine
capturing traffic.
– This means that if you have two hosts communicating at 100MBit/s, you will
only be able to capture the traffic between them if the Ethernet interface of
the machine capturing traffic is configured for 100MBit/s. Similarly, if you have
two hosts communicating at 10MBit/s, you will only be able to capture the
traffic between them if the Ethernet interface of the machine capturing traffic
is configured for 10MBit/s, which is probably not the default configuration.
Real Hubs
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
REAL HUBS: Devices that are real hubs; convenient for capturing. Side Note: This category could really be broken into hubs that are real hubs (i.e. repeaters) and hubs
that are really switches with learning disabled. Most new hubs are in the latter category as it is a cost effective way for manufacturers to produce hubs using the
same chips as their switches. The difference from a packet sniffing point of view is that the hub based on switch technology will only forward 'clean' packets whereas
a genuine hub is an electrical repeater and has no knowledge of what a packet should look like. You could have a device on your network spitting out all kinds of
malformed junk but if you're sniffing via a switch type hub, you won't see it. Neither is to be confused with a switch which operates as a switch (i.e. learns and
maintains a MAC address table) but has been called a hub by well meaning but ultimately dumb people in marketing.
3Com
OfficeConnect Dual Speed Hub 16 (3C16751B) -- GeraldCombs
OfficeConnect Dual Speed Hub 8 (3C16750B) -- T. Eric Hong
See above: From the 3com site: "The OfficeConnect Dual Speed Hub 8 features eight 10/100 Mbps Ethernet hub ports that automatically sense and match the speed
of an attached network device to optimize performance. An internal built-in switch seamlessly connects users." "Tim Casey"
OfficeConnect Dual Speed Hub 8 (3C16753) -- N.B. Cannot sniff this variant -- Malcolm Doody
From the 3com site: "Designed specifically for the small company or home office, this flexible, reliable, plug-and-play hub offers a smooth way to migrate to higher
Fast Ethernet performance yet still support Ethernet PCs and network devices. Eight autosensing 10/100 Mbps ports match the speed of any attached device to
optimize throughput. A built-in switch seamlessly connects 10/100 Mbps users." "Tim Casey"
OfficeConnect 10 Mpbs Hub 4 (3C16704A) -- Phil Gorsuch
D-Link
DE-805TP 5 Port 10 Mbps Hub -- Rendra
Dynex
Seemingly manufactured for Best Buy (from looking at the box), these are currently available in B&M Best Buys (as of August, 2006). (still found as of Apr 2008)
DX-EHB4 - 4 Port 10 Mbps HUB - Byzantium
Edimax
Edimax still has a number of hubs available according to their "Fast Ethernet Switches / Hub" list:
ER-5398S
ER-5397P
ER-5390P is known to be working.
ER-5395P
Andreas Sikkema
Garrett Communications
Magnum H50 -- Kedar
Hawking
10Base-T 4-Port Hub (PN400TP) - Jamie Rybarczyk
Hewlett-Packard
ProCurve 10Base-T Hub 8 (HP J4090A) -- Petr Vacha
Level One
FHU-0400TXDS 4port 10/100Mbps (Note: no internal bridge between 10 and 100 Mbps!) - UlfLamping
Fake Hubs
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Linksys
EFAH05W (Grey Case) - DonMcLane
EFAH08W Version 2.0
EFAH24 24 Port 10/100 Old (no date), has 1 fan and 2 exp slots (Didn't test across speeds, but with everything at 100 Snort is up.)
NETGEAR
DS104 Dual Speed HUB - Jens Link
DS106 Dual Speed HUB also works
DS108 Dual Speed HUB - Jens Link
DS116 Dual Speed HUB - Amy Phillips
DS524 24-port 10/100 (bridging between 10 and 100 Mbps filters packets!) - reported by Simon Bradley
DS508 8-port 10/100 - part of the same family as the DS524, so it probably behaves like the DS524 - Guy Harris
DS516 16-port 10/100 - part of the same family as the DS524, so it probably behaves like the DS524 - Guy Harris
EN104 10Base-T Hub 4port - Andy Dansby
SMC
5208TX EX Hub 10/100 8 port - Ric Nepil
W-linx
SS-F05CM Mini 5 port Fast Ethernet HUB (can be powered from USB-port!!!) - SakeBlok
Fake Hubs
•
•
•
•
•
Devices that claim to be hubs, but in fact are switches. Please add information to this list about models you know (including valuable info such as link speed and the
like) ....
3Com
OfficeConnect Dual Speed Hubs From the 3com site: "The OfficeConnect Dual Speed Hub 8 features eight 10/100 Mbps Ethernet hub ports that automatically sense
and match the speed of an attached network device to optimize performance. An internal built-in switch seamlessly connects users."
Linksys
EFAH05W - Erkan Altan
–
Brutally-Forced Wiretap - David Savinkoff
•
•
•
•
Connect Fake-Hub Uplink RJ-45 connector to network
Connect Fake-Hub 5th RJ-45 connector to crossover cable
Connect other end of crossover cable to Sniffing computer
Connect other side of network to Fake-Hub connectors 1...4
•
EFAH05W v2
•
EFAH08W - Erkan Altan
•
•
EFAH16W (10/100 5-Port and 16-Port Workgroup Hubs including V2) - Erkan Altan
EF2H24 (10/100 24 Port Hub) - Joe Nardone
•
NH1005 V2 - Charles Dunkirk
–
–
–
–
–
–
•
•
•
•
•
•
•
•
•
•
•
Uses Micrel KS8995 5-Port Integrated Switch IC
Version 3.0 ONLY. Steven Posnack noted the differences.
Version 2.0 ONLY.
I was not able to get a new hub matching this version to work for passive sniffing. -- Ryan Sommers
I cannot sniff this 'hub' either. After googling around, I am fairly sure this is a rebadged switch. This hub used to be under 'REAL HUBS' so I moved it down here and kept the
comments and attributions -- Rick Hull
This is not a hub, the internals are made by a company called Kendin, the IC product number is KS8995, a 10/100 switch -- Trey Keifer
Allied Telesyn
AT-FH708E (Unmanaged Fast Ethernet Hub)
SMC
EZ5808DS (Unmanaged Fast Ethernet Hub) Todd Parker
ZIO
ESB550SW (10/100 5-port Switching Hub)
Intel
InBusiness 8-Port Hub (SH10T8)
Genius KYE SYSTEM CORP
GS4080 Mini (10/100 8-port Hub)
Claims to be a HUB, but has an RTL8309SB chip inside, wich is a single-Chip 9-Port 10/100 Mbps SWITCH Controller
Demo
•
Set Nic