Not wanting to install a windows box outside the firewall is perfectly
understandable.
What you might want to do is to create a passive capture box.
Try using Linux, remove all services from the host,
modify an old nic with external aui connector to physically disable data
transmit
and use that box to capture the data on the switch outside the firewall.
This is the same approach as when modding a nic to become an (layer2 and
above) undetectable capture device.
----- Original Message -----
From: W. Chamberlain
To: ethereal-users@xxxxxxxxxxxx
Sent: Wednesday, July 23, 2003 12:15 AM
Subject: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /Sniffing
without TCP/IP on Windows?
I have been using Ethereal off and on for a year or so now on our relatively
small network, and I love it. Perhaps one of the most useful places to
sniff, however, is outside of the firewall. Unfortunately, our IP address
range is frequently scanned by hackers, and I know better than to plug it in
directly. Does anyone know if there is a way to use Ethereal without
installing Microsoft's TCP/IP protocol?
The computer I tested this on runs NT 4.0 with multiple NICs. Ideally, I
would like to sniff on one NIC, and have all of my regular non-sniffing
TCP/IP traffic go through as separate card. I tried to unbind TCP from the
sniffing NIC, but then the WinPCap drivers would not allow me to select that
card for sniffing. My interim solution was to assign a bogus IP address to
the NIC. I am able to sniff fine with this setup, but I am still open to
broadcast-based attacks, and my firewall thinks that someone is spoofing an
IP address, since I used one out of our normal range. It generates multiple
annoying log messages, so I do not leave this running very long. I used to
hear about people making "mute" network cards/cables basically by clipping
the broadcast lines. I don't know if this would help against DoS attacks,
though.
Here were some questions that came to mind. Is there a way to tighten
security on TCP/IP to a point that the OS ignores it on one adapter? Is
there a way to run without TCP/IP? Is there another [free/cheap] program
which can sniff IP traffic without requiring IP binding to the adapter? Can
I use some sort of dummy TCP/IP stack to satisfy WinPCap? Can raw sockets
run without TCP/IP? Any solution I use must be capable of sniffing ICMP
packets and IP packets. I don't care as much about the other types.
Does anyone else have any ideas or experience in this area? Thanks in
advance!
- Will
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users