Know How...

Nov 7th 2016

Know How... 259

Networking Part 2

How to tap your network and monitor traffic!
New episodes every Thursday at 2:00pm Eastern / 11:00am Pacific / 19:00 UTC.
Category: Help & How To

We show you how to see what data is traveling over the network, and the different hardware to help you with networking at home or at school!

MidBit Technologies: SharkTap Gigabit Ethernet Sniffer

  1. Will do 10/100/1000
  2. PoE Passthrough
  3. 350mA draw at 5volts (USB Powered)
  4. Auto-MDIX
  5. Aggregates both sides of the conversation to the receive port on the tap

  -- (This DOES mean that if the total aggregate bandwidth exceeds 1Gbps, packets will drop

* Drops any packets going into the Tap port

 

Step 1: Get a Tapping device

  1. Gig, 10/100, aggregating, tap, hub, SPAN/Mirror port
  2. See episode 63 of “Know How” 
  3. Padre prefers the Netoptics Gig Zero Delay Tap – But that runs $700-$1000 USED!
  4. A much more affordable option is the “Throwing Star LAN Tap Pro” from the HakShop - $39.99

* But my new AFFORDABLE favorite is the SharkTap

 

Step 2: Get a device capable of receiving the tap data stream

  1. Anything with a WIRED port that is capable of receiving the full speed of your chosen tap
  2. USB adapters are fine but remember that USB 2.0 devices top out at 480Mbps. If you’re using a Gig tap, you’ll drop traffic once the pipe is less than half full.

 

Step 3: Get Wireshark (www.wireshark.org)

  • Mac/PC/Linux – 32/64bit – Choose the version that is right for you.

 

Step 4: Choose where to place your tap

  1. The tap will capture the traffic going between the two devices on either side of the tap. 
  2. Tapping the Externals will give you ALL devices on your network.
  3. Tapping the Wireless AP will give you ONLY the devices connected wirelessly
  4. Tapping a specific desktop/laptop/set-top box will give you ONLY that traffic

 

Step 5: Capture


Step 6: Analyze
Looking for Outgoing Streams: Are you a Spambot?

  1. Filter for SMTP: Look for SMTP packets when your computer is supposedly idle
  2. Filter for DNS: look for sites you don't recognize.

 

Looking for "Top Talkers"

  1. Statistics – "Conversations" – "IPv4"
  2. Click "Bytes" to sort by Top Talkers

You can see the origin and destination of your traffic

 

Looking for Usernames/Passwords in the clear

  1. In the "Filter" field, type " – "tcp contains username"

This will give you all the packets that contain the string "username" in the clear

 

Looking for Network Congestion

  1. tcp.analysis.retransmissions

Connect with us!

Thanks to CacheFly for the bandwidth for this show.

Links