I have been using Ethereal off and on for a year or so now
on our relatively small network, and I love it. Perhaps one of the most
useful places to sniff, however, is outside of the firewall. Unfortunately,
our IP address range is frequently scanned by hackers, and I know better than
to plug it in directly. Does anyone know if there is a way to use
Ethereal without installing Microsoft’s TCP/IP protocol?
The computer I tested this on runs NT 4.0 with multiple NICs.
Ideally, I would like to sniff on one NIC, and have all of my regular non-sniffing
TCP/IP traffic go through as separate card. I tried to unbind TCP from the
sniffing NIC, but then the WinPCap drivers would not allow me to select that
card for sniffing. My interim solution was to assign a bogus IP address
to the NIC. I am able to sniff fine with this setup, but I am still open
to broadcast-based attacks, and my firewall thinks that someone is spoofing an
IP address, since I used one out of our normal range. It generates
multiple annoying log messages, so I do not leave this running very long.
I used to hear about people making “mute” network cards/cables basically
by clipping the broadcast lines. I don’t know if this would help
against DoS attacks, though.
Here were some questions that came to mind. Is there a
way to tighten security on TCP/IP to a point that the OS ignores it on one
adapter? Is there a way to run without TCP/IP? Is there another
[free/cheap] program which can sniff IP traffic without requiring IP binding to
the adapter? Can I use some sort of dummy TCP/IP stack to satisfy
WinPCap? Can raw sockets run without TCP/IP? Any solution I use
must be capable of sniffing ICMP packets and IP packets. I don’t
care as much about the other types.
Does anyone else have any ideas or experience in this area?
Thanks in advance!
- Will