I want to sniff all traffic on the upstream link at my installation. I have a wire that comes into my cisco router from the CSU/DSU. The question is, is this wire a normal ethernet wire, so that I could plug it into a hub and plug the hub into the Cisco, that is, put a hub in line with it, or is it something else?
I already have the crossover cable for the new connection, if plugging the CSU/DSU wire into a hub is in fact copasetic.
Please reply on or off list as appropriate
On Wednesday 01 June 2005 03:51 pm, David Nicol wrote:
I want to sniff all traffic on the upstream link at my installation. I have a wire that comes into my cisco router from the CSU/DSU. The question is, is this wire a normal ethernet wire, so that I could plug it into a hub and plug the hub into the Cisco, that is, put a hub in line with it, or is it something else?
Not a guaranteed answer, but I would say "no". The wire from the telecom does not carry straight ethernet traffic, it's frame relay or dsl or something. you need some sort of modem device to translate to ethernet.
Depending on the Cisco unit you have, either the unit itself can output raw packet info for logging/analysis, or you can connect a computer to it to do the sniffing.
I recently ran "iptraf" on my firewall and determined that all that flickering on the RoadRunner modem was ARP packets.
On Wednesday 01 June 2005 04:27 pm, Jonathan Hutchins wrote:
Not a guaranteed answer, but I would say "no". The wire from the telecom does not carry straight ethernet traffic, it's frame relay or dsl or something. you need some sort of modem device to translate to ethernet.
To follow up: while ethernet is great for multiple hosts on a local loop or star topology within a building, it's not designed for long distances. You can often get away with a run between buildings, but when you start building cross-town links you need a different standard. That's where other protocols like Frame Relay and "DSL" come in. This is why you need some sort of "modem" between the cross-town link and your ethernet.
On Thu, 2 Jun 2005 20:38:40 -0500 Jonathan Hutchins hutchins@tarcanfel.org wrote:
On Wednesday 01 June 2005 04:27 pm, Jonathan Hutchins wrote:
Not a guaranteed answer, but I would say "no". The wire from the telecom does not carry straight ethernet traffic, it's frame relay or dsl or something. you need some sort of modem device to translate to ethernet.
To follow up: while ethernet is great for multiple hosts on a local loop or star topology within a building, it's not designed for long distances. You can often get away with a run between buildings, but when you start building cross-town links you need a different standard. That's where other protocols like Frame Relay and "DSL" come in. This is why you need some sort of "modem" between the cross-town link and your ethernet.
The max distance for ethernet cables is 300ft between powered devices such as NICs, switches, etc.
--------------------------------- Frank Wiles frank@wiles.org http://www.wiles.org ---------------------------------
Jonathan Hutchins wrote:
To follow up: while ethernet is great for multiple hosts on a local loop or star topology within a building, it's not designed for long distances. You can often get away with a run between buildings, but when you start building cross-town links you need a different standard. That's where other protocols like Frame Relay and "DSL" come in. This is why you need some sort of "modem" between the cross-town link and your ethernet.
Unless you're using 1000BASE-ZX (100km):
http://wiki.ethereal.com/EthernetHardware
Or Long-Reach Ethernet (5000 ft):
http://www.cisco.com/warp/public/779/servpro/solutions/long_ethernet/
Or GigaMAN (180 mi):
http://www01.sbc.com/Products_Services/Business/ProdInfo_1/1,,1545--4-1-0,00...
There's nothing inherent in Ethernet that keeps you from carrying frames over long distances. Most cable and DSL connections simply bridge Ethernet frames from the home to the CO or head end, which often qualifies as cross-town.
On Thursday 02 June 2005 09:21 pm, Gerald Combs wrote:
Jonathan Hutchins wrote:
while ethernet is great for multiple hosts on a local loop or star topology within a building, it's not designed for long distances.
Unless you're using [several name-brand variants].
It's arguable whether the variants are actually ethernet or not. You can get ethernet range extenders, and if you're using thin-net you can usually get across an urban street or rural campus with them.
None of these protocols, however, will work if you plug it into a standard 10/100bT hub. For distance, you need a "modem" or an interface device that efectively does the same thing as a modem; one at each end in fact.
(You're quite right that subsets of the ethernet standard are prevelant in other transport protocols - why re-invent the wheel - but that doesn't make them ethernet.)
On Thu, 2005-06-02 at 22:38 -0500, Jonathan Hutchins wrote:
On Thursday 02 June 2005 09:21 pm, Gerald Combs wrote:
Jonathan Hutchins wrote:
while ethernet is great for multiple hosts on a local loop or star topology within a building, it's not designed for long distances.
Unless you're using [several name-brand variants].
It's arguable whether the variants are actually ethernet or not. You can get ethernet range extenders, and if you're using thin-net you can usually get across an urban street or rural campus with them.
/me giggles, arguing with Gerald about networking.
Jonathan Hutchins wrote:
It's arguable whether the variants are actually ethernet or not. You can get ethernet range extenders, and if you're using thin-net you can usually get across an urban street or rural campus with them.
Did you look at the first link? 1000BASE-ZX is an IEEE standard (802.3z, I think). The only "name brand" is the one the IEEE placed on it. We have several clients using 100BASE-FX, 1000BASE-ZX and the like to span distances of 1 - 60 km by simply plugging fiber into a port on a switch. No range extenders or extra equipment involved.
The other two examples replace Ethernet's physical layer with other network technologies (I think GigaMAN uses SONet, and LRE uses DSL). This is irrelevant from the client perspective -- they get a 10, 100, or 1000BASE-T RJ-45 jack, which they just plug into their network...
None of these protocols, however, will work if you plug it into a standard 10/100bT hub. For distance, you need a "modem" or an interface device that efectively does the same thing as a modem; one at each end in fact.
...and the same is true for cable and DSL "modems" (which are more accurately called bridges). They simply forward Ethernet frames over long distances. If you want to capture traffic on your cable, DSL, LRE, or GigaMAN connection you only have to worry about the LAN side.
(You're quite right that subsets of the ethernet standard are prevelant in other transport protocols - why re-invent the wheel - but that doesn't make them ethernet.)
You're not making a distinction between Ethernet's physical layer specifications (100BASE-T, 10BASE2, 1000BASE-LH, etc) and its data link layer spec. I am.
On Friday 03 June 2005 09:36 am, Gerald Combs wrote:
You're not making a distinction between Ethernet's physical layer specifications (100BASE-T, 10BASE2, 1000BASE-LH, etc) and its data link layer spec. I am.
Precisely; and I would count fiber optic cable as a similar "extension" of the ethernet standards. Again, you can't plug fiber into your $10 five port hub; my real point is that all of these transports are incompatible with the standard local transport protocol and can't be directly connected.
Jonathan Hutchins wrote:
Precisely; and I would count fiber optic cable as a similar "extension" of the ethernet standards. Again, you can't plug fiber into your $10 five port hub; my real point is that all of these transports are incompatible with the standard local transport protocol and can't be directly connected.
My point:
The Ethernet standard goes way beyond the Netgear and D-Link stuff at Best Buy. You can get a switch that supports gigabit Ethernet over fiber (and port mirroring) for $50 + the cost of a GBIC:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&category=28040&item=57...
Limiting Ethernet to a $10 five port hub is an artifical (and unrealistic) distinction.
On Friday 03 June 2005 11:05 am, Gerald Combs wrote:
I certainly understand your points, and would agree, with one exception:
Limiting Ethernet to a $10 five port hub is an artifical (and unrealistic) distinction.
It may be artificial, but when the _average_ user/low-level tech talks about "ethernet", they mean whatever they can jack into the RJ45 in the wall or perhaps a hub/switch in the closet. The vast majority of "ethernet jacks" are of this limited nature.
This is relevant to the original question, which was whether one could just plug a hub (or NIC) in to the CSU/DSU and expect to be able to "see" the traffic on it. For the purpose of that discussion, I'm not sure even gigabit ethernet would count.
There's always been a gap between what the average consumer/user had access to at reasonable cost and what could technically be done within the scope of an engineering standard. (This can be very frustrating when you're doing a home project on a limited budget and you discover what those little extra features within the standard actually cost to implement.)
Maybe if you explained why you need to sniff the traffic someone could offer a solution. Maybe your answer can be solved by sniffing on the 'internal' side of the CSU/DSU.
On 6/1/05, David Nicol davidnicol@gmail.com wrote:
I want to sniff all traffic on the upstream link at my installation. I have a wire that comes into my cisco router from the CSU/DSU. The question is, is this wire a normal ethernet wire, so that I could plug it into a hub and plug the hub into the Cisco, that is, put a hub in line with it, or is it something else?
I already have the crossover cable for the new connection, if plugging the CSU/DSU wire into a hub is in fact copasetic.
Please reply on or off list as appropriate
-- David L Nicol Twinkies and Wonderbread are mainstream Americana _______________________________________________ Kclug mailing list Kclug@kclug.org http://kclug.org/mailman/listinfo/kclug
On 3:51:42 pm 06/01/05 David Nicol davidnicol@gmail.com wrote:
I want to sniff all traffic on the upstream link at my installation. I have a wire that comes into my cisco router from the CSU/DSU. The question is, is this wire a normal ethernet wire, so that I could plug it into a hub and plug the hub into the Cisco, that is, put a hub in line with it, or is it something else?
My bet is that you could stuff a hub between the two but I have never tried. Our arrangement is like so running from the CSU all the way to the LAN:
CSU/DSU Cisco router Hub Cisco PIX - switched DMZ hub Linux gateway box switched LAN
HTH
__ Jason Munro __ jason@stdbev.com __ http://hastymail.sourceforge.net/
David Nicol wrote:
I want to sniff all traffic on the upstream link at my installation. I have a wire that comes into my cisco router from the CSU/DSU. The question is, is this wire a normal ethernet wire, so that I could plug it into a hub and plug the hub into the Cisco, that is, put a hub in line with it, or is it something else?
I already have the crossover cable for the new connection, if plugging the CSU/DSU wire into a hub is in fact copasetic.
If your upstream connection is cable, DSL, or some sort of metropolitan area Ethernet service (e.g. GigaMAN), then this would probably work. You say you have a CSU/DSU however, so I'm assuming your upstream is a T1 of some sort.
Unfortunately, trying to capture T1 traffic with Ethernet equipment won't work. The signaling used by CSU/DSUs is incompatible with Ethernet -- the frequencies, encodings, and algorithms are completely different. The plugs and (I think) pinouts are the same, but that's about it. Capturing data directly from a T1 requires expensive equipment from places like Network General or GL Communications.
Capturing data on the LAN side of your router is much cheaper and easier. The Ethereal wiki has a page on Ethernet capture at
http://wiki.ethereal.com/CaptureSetup_2fEthernet
Depending on your network you might have to apply some sort of capture filter to make sure you only catch data to and from your upstream connection. Something like
ether host nn:nn:nn:nn:nn:nn and not ip host x.x.x.x \ and not broadcast and not multicast
where nn:nn:nn:nn:nn:nn is the MAC address of your router's Ethernet port and x.x.x.x is the IP address of your router's Ethernet port should work.
-
Bill Cavalieri -
crash3m -
David Nicol -
Frank Wiles -
Gerald Combs -
Jason Munro -
Jonathan Hutchins