Ethereal-users: Re: [Ethereal-users] Sniffing remote networks
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: "Morgan, Chip E." <Chip.Morgan@xxxxxxxxxx>
Date: Mon, 30 Sep 2002 15:18:16 -0400
Narayan, I've cobbled together a quirky set of utils that I've nicknamed tethbgmon that allow me to run tethereal continuously (as needed) on any WinNT/W2K machine in our network from system boot. In order to install and use it, I need local workstation admin privileges and remote control software like WinVNC on the box (for the GUI portions of the Ethereal and WinPcap installs). I use the AutoExnt NT Reskit service to launch an NT batch file (called tethbgmon.cmd) as builtin\system under the covers, which can be started on demand or at system boot. The tethbgmon batch file determines how many capture files to record (admin configurable), which non-loopback, non-dialup, interface to use, and which filename to save the first trace as. It then captures 1000 frames using tethereal. After the capture completes, it checks to see if an administrator requested stop "command" has been issued (via a trigger file), then starts the next capture. Once the maximum number of files have been captured, it begins to reuse the capture files. I wrote this utility because I was sick and tired of shipping a hardware sniffer to a remote location, waiting for the sniffer to get there, fighting to get the box plugged into the exact portion of the network, reconfig the switch for spanning, just to realize that a basic Ethereal capture running on the end-users machine could have answered the question. I then had to get the sniffer shipped back before I needed it again. Obviously, we could (and do) have centrallized sniffers, but they are just as much of a pain to get to capture the right kind of traffic without capturing WAY to much other crap, while making sure that I am not stepping on my colleagues toes in performing their own captures. I also couldn't afford to have enough sniffers to ship to dozens of locations, but with a freeware tool like Ethereal (and some extra utils), I've only got mine own labor costs and about one tenth of the time lag. I can now deploy tethbgmon to any workstation in our company (that I've got rights to) in about 30-45 minutes, including download time across relatively slow WAN links. I've also installed the util on a dozen or so machines that intermittently experience a problem and then sit back and wait for a complaint. I isolated a problem with this tool in a week that we and our NT server buddies had been fighting (with Microsoft's continued help) for many months. That one turned out to be an NT 4 service pack 6 bug that caused NT servers to randomly reject incoming logon connections under certain circumstances, but still respond quickly to initial netlogon requests. I've found tethbgmon adds relatively small cpu load on a reasonably sized workstation (one that an end-user isn't already complaining about constantly). Having said all of this, I don't pretend for a moment that the tool is ready for prime time (I mean, after all, it's written with BATCH FILES, for God's sake), but I am willing to supply the batch files off-line to anyone that would like to attempt to implement them with the understanding of caveat emptor ("buyer" beware). You don't absolutely need Autoexnt, but you will find it much more challenging to capture NT Logon problems without it. Maybe someone could actually put together a reasonably stable tool from the idea, if nothing more. One last warning. Tethbgmon will capture every bit of network traffic that an end-user generates, so you'd better be damned careful that you turn the thing off (even disable it) when you don't actively need it. Chip Chip Morgan Sr Designer IT Network Systems Norfolk Southern Corp * To: <ethereal-users@xxxxxxxxxxxx <mailto:ethereal-users@DOMAIN.HIDDEN>> * Subject: [Ethereal-users] Sniffing remote networks * From: "Narayan Sharma" <narayans@xxxxxxxxxxxxxx <mailto:narayans@DOMAIN.HIDDEN>> * Date: Wed, 18 Sep 2002 15:52:36 +0530 Hi All, Is there any way to sniff the remote networks using ethereal on remote machines? Thanks and Regards, Narayan
- Prev by Date: Re: [Ethereal-users] Win Xp Pro etheral crash
- Next by Date: [Ethereal-users] Capture Filter on SMB protocol
- Previous by thread: [Ethereal-users] Sniffing remote networks
- Next by thread: [Ethereal-users] Packet sizes
- Index(es):