Using sniffer software --- experience the pleasure of Network Management

Source: Internet
Author: User

I have always wanted to write an sniffer application tutorial. This item was retained in the CISCO post co-sponsored by J_Lee last time. Today I am free to do this.
Sniffer software is just a glimpse of me. Therefore, this tutorial is just a tutorial for beginners. However, if you do not have a certain network foundation, it may still make you feel hard to post it. If you are interested, come and play with me ~
Currently, we usually need to monitor sniffer in an exchange environment. Therefore, we need to define the Image Port first. Why does the Image Port need to be defined before sniffer? This is related to the working principle of the vswitch. The working principle of the switch is very different from that of the HUB. The Network Data Exchange established by the HUB is carried out through broadcast, the network set up by the switch is forwarded based on the CAM table inside the switch, which is now understood as the MAC address table. That is to say, the former can be sniffer directly, while the latter cannot be sniffer directly. The port image is used. The port image is defined as "completely copying the incoming and outgoing data packets from the mirror port to facilitate traffic observation or fault locating ".
Let's do an experiment. It's faster to understand it.
Suppose a company applied for a 10 m Telecom broadband, and suddenly one afternoon, the network speed was extremely slow. Employees in the company complain constantly and strongly demand smooth network recovery. As a network manager, you need to find out the cause immediately:
Different devices use different port mirroring methods. Although CISCO is a good tool, it is too professional for most network enthusiasts and may not be suitable for tutorials. So here I select a D-LINK OF THE DES-3226S Layer 2 switch as an example, the WEB interface shows how to configure mirror ing ports ).

Screen. width-333) this. width = screen. width-333 "border = 0>


2-layer network management switch in DES-3226S

Select login to make a setup. After logging in, enter the Switch master configuration menu and display the basic information:

Screen. width-333) this. width = screen. width-333 "border = 0>


Select the following Advanced setup ------ configuring ing Configurations image configuration)

Screen. width-333) this. width = screen. width-333 "border = 0>


Mirror Status option Enabled, set Port 1 as the mirror Port, and select Both as the listening mode for other ports to monitor Both sent and received data ), in this way, the switch copies the data from Port 2 to Port 24 to Port 1 at any time and anywhere, and then listens on Port 1, so that Sniffer can be used.

Screen. width-333) this. width = screen. width-333 "border = 0>

Insert the network management computer to Port 1, mirror Port), and enable the Sniffer software. How can this problem be solved? Is the interface cool? The left and right maps intuitively show the data flow in the LAN. Both the "transfer map" on the right and the "host list" on the left all identify traffic based on the learned MAC address.

Screen. width-333) this. width = screen. width-333 "border = 0>


From the "host list pie chart" on the left, you can clearly see that the data traffic of the 00-50-18-21-A5-F4 and 00-E0-4C-DD-2E-2E hosts is the most so far.

Screen. width-333) this. width = screen. width-333 "border = 0>

Please refer to the "lan mac address scanner" or simply ARP-A or use the IP address options described below) to scan the MAC address in the LAN. We further know that 00-E0-4C-DD-2E-2E belongs to 192.168.123.117. The address 00-50-18-21-A5-F4 belongs to 192.168.123.254, which is the gateway exit ). In this way, we can know who slowed down the network speed!

Screen. width-333) this. width = screen. width-333 "border = 0>

It is not enough to know who slowed down the network speed. We need to know how this person slowed down the network speed. Or can I see the following MAC/IP/IPX options in "transfer map? Click the IP Option to see what appears? It is no longer a map based on a MAC address. It has been switched to a transfer map based on an IP address. The thickest line: 192.168.123.117 ========== 221.10.135.114 indicates that this guy has been switching data with a host on the Internet, and obviously he is downloading files.

Screen. width-333) this. width = screen. width-333 "border = 0>

Use the IP Option in "host list" to view it in a pie chart:
We found that the communication traffic between 192.168.123.117 and 221.10.135.114 was 89.58% + 44.20 Of the total network traffic )!

Screen. width-333) this. width = screen. width-333 "border = 0>


Now the cause of the failure is clear. We only need to process the host 192.168.123.117 to restore the network. But before that, we can use sniffer to monitor what is being transmitted throughout the network! Click capture> define filter> select "Address" sub-menu; Address type protocol): IP; enter "arbitrary" and "arbitrary" in "location 1" and "Location 2", respectively, to monitor hosts in the LAN, of course, you can only monitor the communication between the two addresses. For example, if the two hosts 192.168.123.117 and 221.10.135.114 are found earlier, You must select a key header for two-way communication or one-way communication ).

Screen. width-333) this. width = screen. width-333 "border = 0>


You can also select the specific IP protocol to monitor in "advanced". If you are familiar with the TCP/IP protocol, you can use this function to quickly obtain the desired data.

Screen. width-333) this. width = screen. width-333 "border = 0>

For example, if we have captured some packets from 192.168.123.139 accessing the Internet host 211.91.135.26 on port 80, it indicates that the host is on the webpage.

Screen. width-333) this. width = screen. width-333 "border = 0>


You can even look at the webpage under which directory on the remote host the other party is browsing. Can you see the address of the rm file? This indicates that he is currently watching a movie or a song, which is inferred from the music directory ).

Screen. width-333) this. width = screen. width-333 "border = 0>

Sniffer functions are far more than that, but today is the end.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.