From owner-freebsd-hackers@FreeBSD.ORG Fri Sep 9 14:37:30 2005 Return-Path: X-Original-To: hackers@freebsd.org Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3599F16A41F for ; Fri, 9 Sep 2005 14:37:30 +0000 (GMT) (envelope-from ryans@rpsommers.com) Received: from mailserv1.neuroflux.com (ns2.neuroflux.com [204.228.228.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCD4B43D46 for ; Fri, 9 Sep 2005 14:37:29 +0000 (GMT) (envelope-from ryans@rpsommers.com) Received: (qmail 95066 invoked by uid 89); 9 Sep 2005 14:39:30 -0000 Received: from unknown (HELO www2.neuroflux.com) (127.0.0.1) by localhost with SMTP; 9 Sep 2005 14:39:30 -0000 Received: from 66.166.104.222 (SquirrelMail authenticated user ryans@rpsommers.com); by www2.neuroflux.com with HTTP; Fri, 9 Sep 2005 08:39:30 -0600 (MDT) Message-ID: <3581.66.166.104.222.1126276770.squirrel@66.166.104.222> Date: Fri, 9 Sep 2005 08:39:30 -0600 (MDT) From: "Ryan P. Sommers" To: hackers@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Subject: "Smart" Hubs X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2005 14:37:30 -0000 I'm attempting to setup a few systems such that I can sniff traffic to and from one computer. One requirment is this has to be as portable as possible. I obtained a "hub" and setup the target and the sniffing system. However, the sniffing system was not able to see all traffic to/from the target. The lights on the hub blinked over the uplink (internet) and the target, but not the sniffer. Next I tried my laptop as the sniffer (7-CURRENT, had tried both a Windows laptop and a laptop booted off a Linux live-filesystem). I was able to spoof the MAC address and IP on the sniffer (freebsd) and set monitor mode for the interface. However, I still was not able to see traffic to/from the target. The whole time though I have been able to, of course, see broadcast traffic. With the spoofed ip/mac though if I unplug the hub and then plug it back in, or periodically when leaving it plugged in, the sniffer will get a brief glimpse at a packet or two that was sent to the target system. This suggests to me the "hub" is learning, somehow. My question though is how? I took the sniffer out of monitor mode and generated a few ARP packets by pinging unused IPs. I also ran ethereal on the target. The target saw the ARPs generated by the sniffer system and the source address was correct, it was the mac address both systems were using. How is the hub able to tell these systems apart? Hub in question is a linksys NH1005 v2. All this was done at 100mbit full-duplex. Freebsd laptop nic won't drop to half and I'm not sure how to force linux (target's os) to use anything other than it's auto-config. PS If anyone knows of a hub that's "easy" to find and still is an actuall good 'ol hub, let me know. -- Ryan Sommers ryans < a_t > rpsommers.com (obsolete: ryans@gamersimpact.com)