Sniffer software is just a glimpse of me. Therefore, this tutorial is only intended for beginners. However, if you do not have a certain network foundation, I am afraid it will make you feel hard. If you are interested, come and play with me ~ Currently, we usually need to monitor sniffer in an exchange environment. Therefore, we need to define the Image Port first. Why does the Image Port need to be defined before sniffer? This is related to the working principle of the vswitch. The working principle of the switch is very different from that of the hub. The Network Data Exchange established by the hub is carried out through broadcast, the network set up by the vswitch is forwarded according to the cam table inside the vswitch (which is understood as the MAC address table for the time being. That is to say, the former can be sniffer directly, while the latter cannot be sniffer directly. The port image is used. The port image is defined as "completely copying the incoming and outgoing data packets from the mirror port to facilitate traffic observation or fault locating ". Let's do an experiment. It's faster to understand it. Suppose a company applied for a 10 m Telecom broadband, and suddenly one afternoon, the network speed was extremely slow. Employees in the company complain constantly and strongly demand smooth network recovery. As a network manager, you need to find out the cause immediately: Different devices use different port mirroring methods. Although Cisco is a good tool, it is too professional for most network enthusiasts and may not be suitable for tutorials. So here I choose a D-LINK of DES-3226S L2 Switch as an example, the web interface shows how to configure the mirror port (mirror ). : 2-layer network management switch in DES-3226S Select login to make a setup. After logging in, enter the Switch master configuration menu and display the basic information: Select the following advanced setup ------ processing ing configurations (image configuration) Mirror status option enabled, set Port 1 as the mirror port, and select both (that is, the sent and received data are monitored at the same time) in the listening mode of other ports ), in this way, the switch copies the data from Port 2 to port 24 to Port 1 at any time and anywhere, and then listens on Port 1, so that sniffer can be used. Insert the network management computer into Port 1 (Image Port) and enable the sniffer software. How can this problem be solved? Is the interface cool? The left and right maps intuitively show the data flow in the LAN. Both the "transfer map" on the right and the "host list" on the left all identify traffic based on the learned MAC address. From the "host list pie chart" on the left, you can clearly see that the data traffic of the 00-50-18-21-a5-f4 and 00-e0-4c-dd-2e-2e hosts is the most so far. Go to the "lan mac address scanner" (or simply ARP-A or use the IP address options described below) to scan the MAC address in the LAN. We further know that 00-e0-4c-dd-2e-2e belongs to 192.168.123.117. The address 00-50-18-21-a5-f4 belongs to 192.168.123.254 (this address is the gateway exit ). In this way, we can know who slowed down the network speed! It is not enough to know who slowed down the network speed. We need to know how this person slowed down the network speed. Or can I see the following MAC/IP/IPX options in "transfer map? Click the IP Option to see what appears? It is no longer a map based on a MAC address. It has been switched to a transfer map based on an IP address. The thickest line: 192.168.123.117 ========== 221.10.135.114 indicates that this guy has been switching data with a host on the Internet, and obviously he is downloading files. Use the IP Option in "host list" to view it in a pie chart: We found that the communication traffic between 192.168.123.117 and 221.10.135.114 was as high as 89.58% (44.20 + 45.38) of the total network traffic )! Now the cause of the failure is clear. We only need to process the host 192.168.123.117 to restore the network. But before that, we can use sniffer to monitor what is being transmitted throughout the network! Click capture> define filter in the menu above and select the "Address" sub-menu; Address type (Protocol): IP; enter "arbitrary" and "arbitrary" in "location 1" and "Location 2", respectively, to monitor hosts in the LAN, of course, you can only monitor the communication between the two addresses. For example, pay attention to the two hosts 192.168.123.117 and 221.10.135.114 ). You can also select the specific IP protocol to monitor in "advanced". If you are familiar with the TCP/IP protocol, you can use this function to quickly obtain the desired data. For example, if we have captured some packets from 192.168.123.139 accessing the Internet host 211.91.135.26 on port 80, it indicates that the host is on the webpage. You can even look at the webpage under which directory on the remote host the other party is browsing. Can you see the address of the RM file? This means that he is currently watching a movie or a song (based on the previous music directory ). Sniffer functions are far more than that, but today is the end. |