Date: Fri, 9 Sep 2005 08:39:30 -0600 (MDT) From: "Ryan P. Sommers" <ryans@rpsommers.com> To: hackers@freebsd.org Subject: "Smart" Hubs Message-ID: <3581.66.166.104.222.1126276770.squirrel@66.166.104.222>
next in thread | raw e-mail | index | archive | help
I'm attempting to setup a few systems such that I can sniff traffic to and from one computer. One requirment is this has to be as portable as possible. I obtained a "hub" and setup the target and the sniffing system. However, the sniffing system was not able to see all traffic to/from the target. The lights on the hub blinked over the uplink (internet) and the target, but not the sniffer. Next I tried my laptop as the sniffer (7-CURRENT, had tried both a Windows laptop and a laptop booted off a Linux live-filesystem). I was able to spoof the MAC address and IP on the sniffer (freebsd) and set monitor mode for the interface. However, I still was not able to see traffic to/from the target. The whole time though I have been able to, of course, see broadcast traffic. With the spoofed ip/mac though if I unplug the hub and then plug it back in, or periodically when leaving it plugged in, the sniffer will get a brief glimpse at a packet or two that was sent to the target system. This suggests to me the "hub" is learning, somehow. My question though is how? I took the sniffer out of monitor mode and generated a few ARP packets by pinging unused IPs. I also ran ethereal on the target. The target saw the ARPs generated by the sniffer system and the source address was correct, it was the mac address both systems were using. How is the hub able to tell these systems apart? Hub in question is a linksys NH1005 v2. All this was done at 100mbit full-duplex. Freebsd laptop nic won't drop to half and I'm not sure how to force linux (target's os) to use anything other than it's auto-config. PS If anyone knows of a hub that's "easy" to find and still is an actuall good 'ol hub, let me know. -- Ryan Sommers ryans < a_t > rpsommers.com (obsolete: ryans@gamersimpact.com)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3581.66.166.104.222.1126276770.squirrel>