Cloaked Linux box?

Printable View

11-21-2007
RobinVossen

Cloaked Linux box?

Well, this is a hard one.
I am the Security Guy/IT guy at work.
And well recently they are having problems with slow networks.
So I want to Analyze there problem. I am used to do that on my own box with Wireshark (holy program ^^). Most of the time Ill find Collisions/Traffic on Ports not know and can fix them using Wireshark.
Well, the problem now is, there is a Box that I cant install something on.. (Wireshark) to fix the problem. The Box is having troubles and its a REALLY important server.
So, I was thinking what the best way was to sniff its Traffic to Analyze it later on WITHOUT destorying the network. (eg ARP-Poisoning).
So I came with the idea of placing a box between the Box that has Troubles and the network. So all the Traffic goes though my box and so I can sniff.
Smart idea, but here is the Tricky part.
Is there a way to Cloak the box. meaning I don't want ANY ip-addresses to change.
Everybody get a IP assigned using DHCP. And the IP addresses are saved to their MAC address.
SO everybody always has the Same IP. And when a now box joins the network he automatically gets a IP since of the DHCP..
So, I want to plug a Box between a DHCP server and a Important Server. So I can sniff its Traffic for later Analyzes. But I don't want to interfere with the IP-address Scheme. (doing this for MAC address is really easy so I don't worry about that.)

But, well how can I "Cloak" my Device? Or is it even possible? (I really doubt it is.. but well I thought lets ask.)
11-23-2007
mrjohnson

Dude, you're working too hard. Just assign a free ip address and don't use DHCP at all. Then you're sure not to change anything. And putting a box between the server and the switch would be a pain. Just add a little $50 switch capable of uplinking and plug the server and your wireshark box into that.

Actually, you don't even need an address (pretty sure). Just plug it in, `ifconfig ethN up' and start dumping...

Or, even better, if you've got nice switches you can turn on what's called a 'monitoring port' and get a copy of all the packets on the switch. Then you don't even have to leave your desk. :-)
11-23-2007
RobinVossen

So you are saying is that I should change my 600$ Cisco Switch with a 50$ LocalStore one?
We are talking about a Accountent Company here ;)
So, I can't just deplug a switch or something...

Anyhow, thanks.

Cheers,
Robin
11-23-2007
mrjohnson

Nah, I mean you're trying to get packets going to that server, right? It's a switched network so you can see what's going on another port, so you can plugin that cheapo switch and uplink it to the expensive one.

Then, plug your wireshark box into it and make sure it's working. Then all you have to do is move the server over. Not talking about replacing your switch, just dumping traffic. Beats the heck out of configuring a box to put between your server and the switch like you were talking about.

But seriously, using the monitor port is a lot easier and safer.
11-23-2007
RobinVossen

Quote:

But seriously, using the monitor port is a lot easier and safer.

-> You are not a Network Analyzer are you? I need to check stuff like Packet Sizes, TTL and other stuff...

Quote:

Then, plug your wireshark box into it and make sure it's working. Then all you have to do is move the server over. Not talking about replacing your switch, just dumping traffic.

Ok, ill try that out, I dont relly get it thought but I think thats since I am awake now for nearly 28 hours.
I think I should go to bed,
Thanks :)
11-23-2007
mrjohnson

I guess cisco calls port monitoring SPAN. They like to be different. *shrugs*

But, yes, you get the exact same packets to your port as the server sees on it's port. It was designed for what you're trying to do.

Cisco - Catalyst Switched Port Analyzer (SPAN) Configuration Example