Packet Capture -- Network Programming

[ Show ]

Support VoyForums

[ Shrink ]

VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

[ Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1, [2] ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 22:18:04 03/04/07 Sun
Author: Anandan
Subject: Packet Capture
In reply to: Anandan 's message, "Networking - Software tools" on 05:41:31 01/10/07 Wed

Packet capure - To know what is happening on your network and they provide maximum information.
Packet capture software - most difficult to use to its full potential and requires a thorough understanding of the underlying protocols to be used effectively.

Tools for the capture and analysis of traffic go by a number of names including packet sniffers, packet analyzers, protocol analyzers, and even traffic monitos.

Packet sniffers geneally do the leas amount of analysis, while protocol analyzers provide the greatest level of interpretation. Traffic monitors typically are more concerned with collecting statistical information, but many support the capture of raw data. Any of these may be augmented with the additional functions such as graphing utilities and traffic generators.

Access to Traffic: One can capture traffic information or packets when he has access to it. While this might seem obvious, it may be surprisingly difficult to get access to some links on your network. On some networks, this won't be a problem. For example, 10Base2 and 10Base5 networks have shared media, at least between bridges and switches. Computers conncted to a hub are effectively on a shared medium, and the traffic is exposed. But on other systems, watch out!

Clearly, if you are trying to capture traffic from a host on one network, it will never see the local traffic on a different network. But the problem doesn't stop there. Some networking devices, such as bridges and switches, are designed to contain traffic so that it is seen only parts of the local network. On a switched network, only a limited amount of traffic will normally be seen at any interface. Traffic will be limited to traffic to or from the host or to multicast and broadcast traffic. If this includes the traffic you are interested in, so much the better. But if you are looking at general network traffic, you will use other applications.
Not being able to capture data on an interface has both positive and negative ramifications. The primary benefit is that is possible to control access to traffic with an appropriate network design. By segmenting your nework, you can limit access to data, improving security and enhancing privacy. Lack of access to data can become a serious problem, however, when you must capture that traffic. There are several basic approaches to overcome this problem. First you can try to physically go to the traffic by using a portable computer to collect the data. Some time, this may not be desirable or possible. For example, if you are addressing a security problem, it may not be feasible to monitor at the source of the suspected attack without revealing what you are doing. Another approach is to have multiple probe computers located throughout your network. You can reach those computers on your network using telnet, ssh, X Window software, or vnc etc.

Packet capture may be done by software running on a networked host or by hardware/software combinations designed specifically for that purpose. Devices designed specifically for capturing traffic often have high-performance interfaces that can capture large amounts of data without loss. More conventional interfaces may not be able to keep up with high traffic levels so packets will be lost. On moderately loaded networks, however, losing packets should not be a problem. If dropping packets becomes a problem, you will need to consider faster hardware or, better yet, segmenting your network.

Packet capture software works by placing the network interface in promiscuous mode. In this mode, all packets are captured regardless of their desitination address. While the vast majority of interfaces can be placed in promiscuous mode, a few are manufactured not to allow this. If in doubt, consult the documentation for your interface. Additionally, on Unix systems, the operating system software must be configured to allow promiscuous mode. Typically, placing an interface in promiscuous mode requires root privileges.

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Replies:

tcpdump - Introduction -- Anandan, 22:41:32 03/04/07 Sun
tcpdump - Options I -- Anandan.V.S., 23:35:25 03/04/07 Sun
tcpdump - Option II -- Anandan, 02:04:39 03/12/07 Mon

[ Contact Forum Admin ]

Forum timezone: GMT-8
VF Version: 3.00b, ConfDB:
Before posting please read our privacy policy.
VoyForums^(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2019 Voyager Info-Systems. All Rights Reserved.