["Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>]

Try using real hubs instead of 10/100 dual speed "hubs"

A dual speed 10/100 "hub" is not a hub at all, they are either just a
standard low-end
unmanaged switch or they may be two different hubs, one 10mbit and one
100mbit inside the same
enclosure and connected internally together with a 2 port switch.

If the latter, then you really have two different hubs and will only see the
data from the same collission domain
as where the ethereal box is connected.
Make sure that the ethereal box connects to the hub at the same speed as the
netscreen box connects with
or else you are really connecting the ethereal box to a different hub and
hence you wont see anything.

If the former, then you really have a switch and you wont see the traffic at
all unless you set the switch up in
span/mirror mode  something that might not be possible on a low end
unmanaged switch.


why they call these devices hubs is beyond me since they are not hubs at
all.


----- Original Message ----- 
From: "PM Systems - Chris Kroll" <CKROLL@xxxxxxxxxxxxx>
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Sent: Tuesday, April 06, 2004 10:05 PM
Subject: RE: [Ethereal-users] Ethereal and Site-to-Site VPNs


Sorry for not provided more information in my previous message.  I am
using two Netscreens to create the Site-to-site VPN so it will not be
possible for me to load Ethereal on those devices.  The current end to
end physical config is as follows:  Netscreen - "dumb" 10/100 hub - dual
port 10/100 router - "dumb" 10/100 hub - Netscreen.  The PC that has
Ethereal loaded has been placed on both sides of the router and I have
successfully capture other data (ie Telnet, PINGS) to validate that
ethereal is functioning.  I have also validated that the VPN is up as I
have transferred files between the protected networks.  It's just crazy
that absolutely nothing shows up from these devices, including the
initial handshake.  Again, any advice is greatly appreciated.

Thanks

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Visser, Martin
Sent: Tuesday, April 06, 2004 12:54 AM
To: Ethereal user support
Subject: RE: [Ethereal-users] Ethereal and Site-to-Site VPNs

At a guess your ethereal box is probably connected to the same switch
that your VPN device is on. If that it the case, then everything is
functioning as expected. A ethernet switch by nature does not allow
point to point (unicast) packets to be seen on ports other than those
directly involved in the communication. The ARPs you are seeing however
are probably the ARP requests that are flooded to all ports (as are all
broadcasts). (A switch is functionally identical to a data-link layer
bridge if you are trying to find out more info how this works)

To see the VPN traffic you either need to tell the switch to forward
traffic on the VPN ports to the monitoring port (called monitor or SPAN
functionality on some switches). Or alternatively use a dumb
hub/repeater which copies all seen traffic out of all ports.

If this is not the configuration then you might need to provide more
info (for instance is ethereal actually running on the same box ass the
VPN)

 Regards, Martin

Martin Visser ,CISSP
Network and Security Consultant
Technology & Infrastructure - Consulting & Integration
HP Services

3 Richardson Place
North Ryde, Sydney NSW 2113, Australia

Phone: +61-2-9022-1670
Mobile: +61-411-254-513
Fax: +61-2-9022-1800
E-mail: martin.visserAThp.com





________________________________

From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of PM Systems -
Chris Kroll
Sent: Tuesday, 6 April 2004 6:31 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Ethereal and Site-to-Site VPNs



I am writing a practical which includes the validation of
encrypted data on the untrusted side of a site-to-site VPN.  I was
hoping to use Ethereal to at least verify that the traffic is in fact
encrypted, however no traffic shows up from either VPN device with the
exception of a couple of ARPs.  I've verified that Ethereal is set up
appropriately by generating other traffic on this network.  Is this just
a shortcoming of Etherreal or am I not doing something correctly.  Also,
I am not looking to decrypt the data, only validate that encrypted data
is being sent.  Thanks in advance!



Chris Kroll

Security Analyst

PM Systems Corporation - CUDefense Team

800-233-4052 x207


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users