Ethereal-users: Re: [Ethereal-users] Sniffing remote networks

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Morgan, Chip E." <Chip.Morgan@xxxxxxxxxx>
Date: Mon, 30 Sep 2002 15:18:16 -0400
Narayan,
   I've cobbled together a quirky set of utils that I've nicknamed tethbgmon
that allow me to run tethereal continuously (as needed) on any WinNT/W2K
machine in our network from system boot. In order to install and use it, I
need local workstation admin privileges and remote control software like
WinVNC on the box (for the GUI portions of the Ethereal and WinPcap
installs). I use the AutoExnt NT Reskit service to launch an NT batch file
(called tethbgmon.cmd) as builtin\system under the covers, which can be
started on demand or at system boot. The tethbgmon batch file determines how
many capture files to record (admin configurable), which non-loopback,
non-dialup, interface to use, and which filename to save the first trace as.
It then captures 1000 frames using tethereal. After the capture completes,
it checks to see if an administrator requested stop "command" has been
issued (via a trigger file), then starts the next capture. Once the maximum
number of files have been captured, it begins to reuse the capture files. 

   I wrote this utility because I was sick and tired of shipping a hardware
sniffer to a remote location, waiting for the sniffer to get there, fighting
to get the box plugged into the exact portion of the network, reconfig the
switch for spanning, just to realize that a basic Ethereal capture running
on the end-users machine could have answered the question. I then had to get
the sniffer shipped back before I needed it again. Obviously, we could (and
do) have centrallized sniffers, but they are just as much of a pain to get
to capture the right kind of traffic without capturing WAY to much other
crap, while making sure that I am not stepping on my colleagues toes in
performing their own captures. I also couldn't afford to have enough
sniffers to ship to dozens of locations, but with a freeware tool like
Ethereal (and some extra utils), I've only got mine own labor costs and
about one tenth of the time lag. 

   I can now deploy tethbgmon to any workstation in our company (that I've
got rights to) in about 30-45 minutes, including download time across
relatively slow WAN links.  I've also installed the util on a dozen or so
machines that intermittently experience a problem and then sit back and wait
for a complaint. I isolated a problem with this tool in a week that we and
our NT server buddies had been fighting (with Microsoft's continued help)
for many months. That one turned out to be an NT 4 service pack 6 bug that
caused NT servers to randomly reject incoming logon connections under
certain circumstances, but still respond quickly to initial netlogon
requests.

   I've found tethbgmon adds relatively small cpu load on a reasonably sized
workstation (one that an end-user isn't already complaining about
constantly).

   Having said all of this, I don't pretend for a moment that the tool is
ready for prime time (I mean, after all, it's written with BATCH FILES, for
God's sake), but I am willing to supply the batch files off-line to anyone
that would like to attempt to implement them with the understanding of
caveat emptor ("buyer" beware). You don't absolutely need Autoexnt, but you
will find it much more challenging to capture NT Logon problems without it.

   Maybe someone could actually put together a reasonably stable tool from
the idea, if nothing more. 

   One last warning. Tethbgmon will capture every bit of network traffic
that an end-user generates, so you'd better be damned careful that you turn
the thing off (even disable it) when you don't actively need it.

Chip



Chip Morgan
Sr Designer
IT Network Systems
Norfolk Southern Corp


*	To: <ethereal-users@xxxxxxxxxxxx
<mailto:ethereal-users@DOMAIN.HIDDEN>> 
*	Subject: [Ethereal-users] Sniffing remote networks 
*	From: "Narayan Sharma" <narayans@xxxxxxxxxxxxxx
<mailto:narayans@DOMAIN.HIDDEN>> 
*	Date: Wed, 18 Sep 2002 15:52:36 +0530 

Hi All,
      Is there any way to sniff the remote networks using ethereal on remote
machines?

Thanks and Regards,
Narayan