|
Q: Can I use EffeTech HTTP Sniffer on a
PPP connection?
A: EffeTech HTTP Sniffer use WinPcap as packet-capturing
driver. We tested WinPcap on PPP connections under Windows 95,
Windows 98 and Windows ME. In Windows 95, due to a bug in NDIS,
WinPcap sometimes resets the PPP connection. In Windows 98/ME this
bug appears to be corrected, and WinPcap seems to work properly.
Under Windows NT and Windows 2000 there are problems with the
binding process, that prevents a protocol driver from working
properly on the WAN adapter. But first of all, just try it to find
out whether it works properly on your computer.
Q. I am connected to the LAN through a
switch, and when I launch EffeTech HTTP Sniffer, it captures only
the packets sent to and from my own machine. I can't see the
traffic of other machines. Why is this so?
A. The easiest way to achieve this
goal is to place the EffeTech HTTP Sniffer on the gateway. However,
if you want to reach this goal on any PC on the LAN, you have to do
some easy configurations for your switch. So lets talk about the
working theory of switch first. Unlike hubs, switches prevent
promiscuous sniffing. In a switched network environment, EffeTech
HTTP Sniffer (or any other packet analyzer) is limited to capturing
broadcast and multicast packets and the traffic sent or received by
the PC on which EffeTech HTTP Sniffer is running, because a switch
will not forward others' packets to your PC. However, most modern
switches support "port mirroring", which is a feature that enables
switches to forward any packet to one PC and allows the network
manager to determine the location of a problem on his network
simply and efficiently. Port Mirroring is configured by assigning a
port from which to copy all frames, and a port to which to send
those frames. Finally, when the feature is activated, all frames
bound for or sourced from the selected source port will be sent (in
addition to their regular destinations) to the selected destination
port. Simply by placing an RMON probe* (or similar LANalyzer*) on
this destination port, each segment can be separately monitored
without moving the equipment. By using this feature, you will able
to monitor the entire LAN segment.
Please refer to the documentation that comes with your switch
for information on availability of this feature and configuration
instructions. Various networking hardware manufacturers name this
feature differently. Below is a short reference list of hardware by
three major manufacturers - Cisco, 3COM, and Intel that support
port mirroring.
| Manufacturer |
Name used for the port mirroring
feature |
Models of switches with port mirroring
support |
| Cisco |
SPAN |
Cisco Catalyst 1900 Series Switches
Cisco Catalyst 6000 Family Switches
...
|
| 3COM |
Roving analysis port (RAP) |
3Com SuperStack 3 Switch 4400
... |
| Intel |
Port mirroring |
Express 100BASE-TX Switching Hub
Intel Express 460T
Intel Express 480T
Express 510, 520 and 550 Series Switches software v2.21 or
later.
Intel NetStructure 6000 Switch
...
|
Common switches sorted by Port mirroring supported
|
Company
|
Product
Name/Model
|
Port mirroring
supported
|
| 3Com Corp.
|
Super Stack II Switch 3300
|
Yes
|
| Addtron Technology
|
ADS-824M
|
Yes
|
| Addtron Technology
|
ADS-816M
|
Yes
|
| Allied Telesyn International
|
AT-8224XL
|
Yes
|
| Asante Technologies
|
IntraStack 6014DSB
|
Yes
|
| KTI Networks
|
KS2316 10/100 Fact Ethernet
Switch
|
Yes
|
| Matrox Electronic Systems
|
Matrox Switchbox 12
|
Yes
|
| Bay Networks, a Nortel Networks Line of
Business
|
Bay Stack 350T-HD 10/100 Autosense
Switch
|
Yes
|
| Bay Networks, a Nortel Networks Line of
Business
|
Bay Stack 350T 10/100 Autosense
Switch
|
Yes
|
| Bay Networks, a Nortel Networks Line of
Business
|
Bay Stack 350 F - HD 10/100 Autosense
Switch
|
Yes
|
| Bay Networks, a Nortel Networks Line of
Business
|
Bay Stack 350F 10/100 Autosense
Switch
|
Yes
|
| Cisco Systems
|
Cisco Catalyst 2924C XL
|
Yes
|
| Cisco Systems
|
Cisco Catalyst 2924 XL
|
Yes
|
| Matrox Electronic Systems
|
Matrox Switchbox 12 (FX)
|
Yes
|
| NBase-Xyplex
|
MegaSwitch II SX-2024
|
Yes
|
| Teleware Corp.
|
Teleway 1080EX
|
Yes
|
| Enterasys Networks
|
Vertical Horizon VH-4802
|
Yes
|
| Foundry Networks
|
FastIron Workgroup Switch 16
port
|
Yes
|
| Foundry Networks
|
FastIron Workgroup Switch 24
port
|
Yes
|
| IBM Corp.
|
IBM 8271-712 NWAYS Ethernet LAN
Switch
|
Yes
|
| Intel Corp.
|
Express 550T Routing Switch
(ES550T)
|
Yes
|
| NBase-Xyplex
|
MegaSwitch SX-2016
|
Yes
|
| LANart Corp.
|
ETS 1210 Fast Ethernet
Switch
|
Yes
|
| Lucent Technologies (formerly
Prominet)
|
Lucent P550 Cajun Switch
|
Yes
|
| Network Peripherals
|
FE-D512
|
Yes
|
| Olicom
|
CrossFire 8420 Fast Ethernet
Switch
|
Yes
|
| NBase-Xyplex
|
Mega Switch II SX-2012
|
Yes
|
| Proteon LAN Products by Microvitec
|
ProNet/E Series 84 Fast Ethernet
Switch
|
Yes
|
| Network Peripherals
|
FE-DS-24
|
Yes
|
| Performance Technologies
|
Nebula 6000 Departmental
Switch
|
Yes
|
| Performance Technologies
|
Nebula 4000 Workgroup
Switch
|
Yes
|
| Performance Technologies
|
Nebula 8000 Fault Tolerant Backbone
Switch
|
Yes
|
| Point Com
|
CEM56-100
|
Yes
|
| Asante Technologies
|
Friendly Net FS4004DS
Switch
|
No
|
| NDC Communications
|
Plug-n-Switch
|
No
|
| Asante Technologies
|
Friendly Net FS4008DS
Switch
|
No
|
| Compaq Computer Corp.
|
Compaq NETELLIGENT 5708 TX
|
No
|
| Omnitron Systems Technology
|
FlexSwitch 600X 10/100 Switch with
Opitonal Fiber/UTP Plug-Ins
|
No
|
| Omnitron Systems Technology
|
FlexSwitch 600X3 10/100 Ethernet
Modular Switch (Model # 6200)
|
No
|
| Compex
|
Compex Ready Switch SNW
1213
|
No
|
| TRENDware International
|
TE100-S1212
|
No
|
| D-Link Systems
|
5016
|
No
|
|
Even switches currently don't support this feature, they may
support by upgrading firmware image. Please contact your
manufacturers to upgrade.
Q. I launched the program and clicked
Button "Start sniffer", but no HTTP communications are displayed.
Why?
A. There are three possible reasons: You may have more than
one network adapters and you have selected an unused one. You may
made a mistake when configuring the filter. Select at least one of
three options in the "content" area, and select "any host" in the
"host" area. Or you network is switched, therefor refer to the
answer to the previous question.
Q: How can I see if WinPcap is installed
on my system? How can I remove it?
A: WinPcap 2.3 is a packet-capturing driver. To remove it,
you should go to the control-panel, open the "add/remove programs"
applet. If WinPcap is present in your system, an entry called
"WinPcap" will be present. Double-click on it to uninstall WinPcap.
To be absolutely sure that WinPcap has been installed, please look
at your system folder: you should find files called packet.* and
wpcap.dll. Please check the file dates, which should be compatible
with the WinPcap release dates.
Q: What is a "packet sniffer"?
A: packet sniffer is a wire-tap devices that plugs into
computer networks and eavesdrops on the network traffic. Like a
telephone wiretap allows the FBI to listen in on other people's
conversations, a "sniffing" program lets someone listen in on
computer conversations. However, computer conversations consist of
apparently random binary data. Therefore, network wiretap programs
also come with a feature known as "protocol analysis", which allow
them to "decode" the computer traffic and make sense of it.
Sniffing also has one advantage over telephone wiretaps: many
networks use "shared media". This means that you don't need to
break into a wiring closet to install your wiretap, you can do it
from almost any network connection to eavesdrop on your neighbors.
This is called a "promiscuous mode" sniffer. However, this "shared"
technology is moving quickly toward "switched" technology where
this will no longer be easy, which means you will make some
configuration for your switch.
Q: Questions about WinPcap?
A: http://winpcap.polito.it/misc/faq.htm
|
