No,
I could put another nic into my notebook and hook it on the 'other side'.
Then run another instance of ethereal settings its interface to the
new nic. I'll have to find the mergecap program you reference.
This is definitely getting interesting.
-Darryl
>-----Original Message-----
>From: ethereal-users-admin@xxxxxxxxxxxx
>[mailto:ethereal-users-admin@xxxxxxxxxxxx]On Behalf Of Richard Urwin
>Sent: Thursday, May 01, 2003 5:21 PM
>To: darryl@xxxxxxxxxxxxxxx; ethereal-users@xxxxxxxxxxxx
>Subject: Re: [Ethereal-users] Private IP's - take 2
>
>
>On Thursday 01 May 2003 8:30 pm, Darryl Hoar wrote:
>> Well,
>> thats for the last responses. I'm still a newbie.
>>
>> Here is my setup.
>> I have a machine configured as firewall/nat/router that has two nics.
>> One nic is connected to my internal LAN. The other is connected
>> to my SMC ADSL modem.
>>
>> My first attempt was to plug my ADSL modem into a spare 3com 3c1611
>> 10/100 hub. I plugged the firewall/nat/router into another
>of the ports.
>> Lastly, I plugged my notebook running ethereal into another port.
>>
>> I could monitor the packets between the firewall/nat/router and the
>> ADSL modem. Unfortunately, I could not see any of the internal
>> source ip's (192.168.1.x).
>>
>> So, I then plugged the ADSL modem back directly into the
>> firewall/nat/router nic. I plugged the hub into the LAN. Then
>> connected the firewall/nat/router, notebook running ethereal
>> into the hub.
>>
>> Now I can see the internal traffic, but can't see the external bound
>> traffic.
>>
>> what am I missing here? I'm sure its a total newbie thing.
>
>No, it's a tricky one. You're trying to capture on two nets at
>the same time.
>
>The "proper" way to do this is to use two ethereal machines
>with synchronised
>clocks, or one machine with two copies of ethereal running to
>two different
>NICs. Then run mergecap to merge the two capture files. I am
>guessing that
>you don't have the resources to do that.
>
>Normally it's not possible to do it with a single capture, but
>I think, in
>this case, and for short periods, there is a way. There may be
>a security
>risk, so only do this when you have to analyse the netwok.
>
>Set the modem to run at 10Mbps, and _everything_ else to run
>at 100, then plug
>everything, including both ports of the NAT machine into the
>hub. The hub
>will switch the traffic to the modem, so it will only see the
>traffic that it
>is supposed to, but the ethernet machine will see it all.
>
>NAT to modem goes in at 100Mbps
>modem to NAT goes out at 100Mbps
>NAT to and from LAN is at 100Mbps
>
>So the ethereal machine will see all the traffic. (As will all
>the machines
>except the modem, which will only see traffic addressed to it.)
>
>If you don't set the modem to 10Mbps all your LAN traffic will
>go out onto the
>Internet, annoying your ISP and creating a bigger security risk.
>
>This is a dirty hack. So far as I can see it should work, but
>it may not. For
>example, broadcast traffic, including ARP packets will get to
>the modem, and
>may escape into the Internet. Something out there might
>respond to them and
>confuse your network. It may be possible to hack your network from the
>Internet with this setup. It may annoy your ISP, they may see
>it as a hacking
>attempt.
>
>--
>Richard Urwin
>
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users