Get APLawrence.com by RSS(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Home > Security > Lan sniffing with Windump
Printer Friendly Version
Lan sniffing with a DualComm port mirroring switch and Windump
I was recently contracted to help another consultant sniff a customer's network for suspicious activity. The situation was that the customer had been put on blacklists because some internal machine had apparently been compromised and was sending out spam.
Obviously the first task was to find and clean up any infected machines. The consultant contracted that out to someone else who updated virus software and ran scans. Unfortunately, that person didn't provide details of his work - he just reported that he had found and fixed "some problems". This didn't leave anyone feeling confident that the problem had actually been dealt with.
I pointed out that, if possible, all machines other than the internal mailserver should be blocked from sending email (other than to the internal mailserver, of course). Ideally, they should be locked down to only whatever outgoing ports are absolutely necessary, but blocking 25 and 465 is a good start. That was done, but my contact still wanted to know how to sniff what is actually happening on the network.
I had him buy a DualComm port mirroring switch and arranged to meet him at the customer site. The DualComm is an inexpensive 5 port, USB powered switch that, by default, mirrors port 1 to port 5. It's small enough to keep in your laptop bag, cheap enough that you can leave it at a customer site and the USB power means one less outlet to hunt for. The default port mirroring makes this ideal for lan sniffing.
Because the consultant wanted to use Windows, I brought a Windows laptop with Windump installed. Windump is just tcpdump so that makes it easy for me and it also means that he can search for tcpdump tutorials and learn more about its usage.
Both Linux and MacOSX users have tcpdump installed by default. Personally, I'd much rather carry a Mac or Linux laptop for this kind of work as there are many other tools that Windows doesn't bother to include. But this consultant was more comfortable with Windows, so that's what we did.
On site, I connected my laptop to port 5 of his DualComm, took the patch cord that went to the ISP's router and put it in port 2, and then ran port 1 back to the customer's switch where I had unplugged the router cable. I started up a CMD window and showed him that we could do things like
windump "tcp port 25 or tcp port 465"
That showed traffic to and from the internal Kerio mailserver as we'd expect. I then stopped the mailserver and all Windump output ceased. We watched for a few minutes, saw nothing, and turned the mailserver back on. I showed him that the Kerio admin "Active Connections" under Status should match the IP's we were seeing in Windump. This made him feel more confident that the problem was indeed resolved. I did suggest that he might want to log some longer runs just to be certain, but as I confirmed that client machines were blocked, I don't expect to see this problem again. The sloppiness of the contractor who did the virus cleanup bothers me a bit, but otherwise this is under control.
If this page was useful to you, please click to help others find it:
Your +1's can help friends, contacts, and others on the web find the best stuff when they search.
Inexpensive and informative Apple related e-books:
Fonts in Leopard
Switching to the Mac
Your AirPort Network
Troubleshooting Your Mac
Apple Mail in Snow Leopard
More Articles by Anthony Lawrence - Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
Click here to add your comments
Sat Jan 23 07:19:16 2010: Michiel
Have you tried WireShark? It's a great tool for sniffing network traffic and analyzing it. It can also visualize conversations between two machines. There exist versions for unix, windows and osx. http://www.wireshark.org
Sat Jan 23 21:07:22 2010: TonyLawrence
I haven't. I just downloaded the so-called Mac version (it isn't, it's an X app). I detest having to run stuff in X when I'm using a Mac, but I'll give it a twhirl,
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar