In my previous article Sniffing a switched network i gave an introduction, on how a switched networked can be sniffed and what are the popular different techniques. In this article i am explaining one of the techniques i discussed in my previous article.
Another way to capture the traffic through a target device on a switched network is by hubbing out. This is a technique by which you segment the target device and your analyser system on the same network segment by plugging them directly into a hub. Many people think of hubbing out as cheating, but it’s really a perfect solution in situations where you can’t perform port mirroring but still have physical access to the switch the target device is plugged into.
To hub out, all you need is a hub and a few network cables. Once you
have your hardware, connect it as follows:
- Go to the switch the target device resides on and unplug the target fro the network.
- Plug the target’s network cable into your hub.
- Plug in another cable that connects your analyzer to the hub.
- Plug in a network cable from your hub to the network switch to connect the hub to the network.
Now you have basically put the target device and your analyzer in the same broadcast domain, and all traffic from your target device will be broadcast so that the analyzer can capture those packets, as illustrated in Figure
In most situations, hubbing out will reduce the duplex of the target device from full to half. While this method isn’t the cleanest way to tap into the wire, it’s sometimes your only option when a switch does not support port mirroring. But keep in mind that your hub will also require a power
connection, which can be difficult to find in some instances.
Finding True Hub
When hubbing out, be sure that you’re using a true hub and not a falsely labeled switch. Several networking hardware vendors have a bad habit of marketing and selling a device as a hub when it actually functions as a low-level switch. If you aren’t working with a proven, tested hub, you will see only your own traffic, not that of the target device. When you find a hub, test it to make sure it really is a hub. If it is, it’s a keeper! The best way to determine whether or not a device is a true hub is to hook up a pair of computers to it and see if one computer can sniff traffic between the other computer
and various other devices on the network, such as another computer or a printer. If so, that’s a true hub. Since hubs are so antiquated, they are not really mass-produced anymore. It’s almost impossible to buy a true hub off the shelf, so you’ll need to be creative in order to find one. eBay can be a good source of hubs, but be wary, as you may run into the same issue with switches mislabeled as hubs.
No comments:
Post a Comment