Ethereal-users: RE: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? / S niffing withou

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Urwin <RUrwin@xxxxxxxxxxxxxx>
Date: Wed, 23 Jul 2003 10:02:32 +0100
I use Ethereal on an unbound second card in my W2K machine. Everything works
fine.

-- 
Richard Urwin, Software Design Engineer 
Schenck Test Automation 
Braemar Court, 1311b Melton Road, Syston, UK. 
rurwin@xxxxxxxxxxxxxx 


-----Original Message-----
From: W. Chamberlain [mailto:nashvilleguitarpicker@xxxxxxxxxxx]
Sent: 22 July 2003 15:15
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Hardening Windows NT/2K/XP for sniffing? /
Sniffing without TCP/IP on Windows?


I have been using Ethereal off and on for a year or so now on our relatively
small network, and I love it.  Perhaps one of the most useful places to
sniff, however, is outside of the firewall.  Unfortunately, our IP address
range is frequently scanned by hackers, and I know better than to plug it in
directly.  Does anyone know if there is a way to use Ethereal without
installing Microsoft's TCP/IP protocol?

The computer I tested this on runs NT 4.0 with multiple NICs.  Ideally, I
would like to sniff on one NIC, and have all of my regular non-sniffing
TCP/IP traffic go through as separate card.  I tried to unbind TCP from the
sniffing NIC, but then the WinPCap drivers would not allow me to select that
card for sniffing.  My interim solution was to assign a bogus IP address to
the NIC.  I am able to sniff fine with this setup, but I am still open to
broadcast-based attacks, and my firewall thinks that someone is spoofing an
IP address, since I used one out of our normal range.  It generates multiple
annoying log messages, so I do not leave this running very long.  I used to
hear about people making "mute" network cards/cables basically by clipping
the broadcast lines.  I don't know if this would help against DoS attacks,
though.

Here were some questions that came to mind.  Is there a way to tighten
security on TCP/IP to a point that the OS ignores it on one adapter?  Is
there a way to run without TCP/IP?  Is there another [free/cheap] program
which can sniff IP traffic without requiring IP binding to the adapter?  Can
I use some sort of dummy TCP/IP stack to satisfy WinPCap?  Can raw sockets
run without TCP/IP?  Any solution I use must be capable of sniffing ICMP
packets and IP packets.  I don't care as much about the other types.

Does anyone else have any ideas or experience in this area?  Thanks in
advance!

- Will

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________