udp traffic cannot be sniffed

I am tasked with recording some udp messages between 2 windows
applications. I'm using a linux box with wireshark and tcpdump
installed. I am on the same physical switch(tried 2 different ones)
and have the same subnet and my ip is only different in the 4th octet
i.e. 192.168.1.xxx. The switch is not vlan'd or anything fancy, this
should be a no-brainer(or so i thought).

The applications are talking on port 7000 using udp. If I ran
wireshark on either of the windows boxes I see the traffic. But if I
run it from the linux box I see everything *but* this specific
traffic. If I filter on just port 7000 or just udp(or both), I get
nothing. Then I tried adding a third windows box and it could not see
the traffic either.

I might add that on the windows boxes where i can see the traffic in
wireshark, wireshark is incorrectly interpretting the protocol as "RX"
and it says its "malformed". But this is a proprietary(really simple)
protocol that happens to just use the same port as whatever RX does.
If I look at the hex, it is correct.

What the heck is going on and why can't I record this traffic?

-Kevin

On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:

> I am tasked with recording some udp messages between 2 windows
> applications. I'm using a linux box with wireshark and tcpdump
> installed. I am on the same physical switch(tried 2 different ones) and
.....
> What the heck is going on and why can't I record this traffic?

Use a hub, not a switch.

On Aug 2, 8:17 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
> > I am tasked with recording some udp messages between 2 windows
> > applications. I'm using a linux box with wireshark and tcpdump
> > installed. I am on the same physical switch(tried 2 different ones) and
> ....
> > What the heck is going on and why can't I record this traffic?
>
> Use a hub, not a switch.

I'm required to use a switch(and a specific one).

kevincw01 schrieb:
> On Aug 2, 8:17 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
>> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
>>> I am tasked with recording some udp messages between 2 windows
>>> applications. I'm using a linux box with wireshark and tcpdump
>>> installed. I am on the same physical switch(tried 2 different ones) and
>> ....
>>> What the heck is going on and why can't I record this traffic?
>> Use a hub, not a switch.
>
> I'm required to use a switch(and a specific one).
>
If it is a managed switch, maybe you could set the port you use as
monitoring port, so that all traffic on the switch is sent out on
that port.
If it is not a managed switch, you could use ettercap for
arp-poisoning the switch, but better ask your administrator first.

If none of these work, forget it.

Greets
Chris

On Aug 3, 9:16 am, Christoph Scheurer <cyberf...@rebmatt.ch> wrote:
> kevincw01 schrieb:> On Aug 2, 8:17 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
> >> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
> >>> I am tasked with recording some udp messages between 2 windows
> >>> applications. I'm using a linux box with wireshark and tcpdump
> >>> installed. I am on the same physical switch(tried 2 different ones) and
> >> ....
> >>> What the heck is going on and why can't I record this traffic?
> >> Use a hub, not a switch.
>
> > I'm required to use a switch(and a specific one).
>
> If it is a managed switch, maybe you could set the port you use as
> monitoring port, so that all traffic on the switch is sent out on
> that port.
> If it is not a managed switch, you could use ettercap for
> arp-poisoning the switch, but better ask your administrator first.
>
> If none of these work, forget it.
>
> Greets
> Chris

I was thinking about the mirroring option. Is there some name or
standard this is normally called out as in a manual or spec? I want
to see if my switch supports this. Since I need to see traffic from
two ports, I'm guessing I would need to mirror two ports to two other
ports since it doesn't seem logical to be able to send 2GBps to a
1GBps port.

Hello,

Christoph Scheurer a écrit :
> If it is not a managed switch, you could use ettercap for
> arp-poisoning the switch, but better ask your administrator first.

Huh ? What has ARP to do with a switch ?

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
> Christoph Scheurer a ?crit :
> > If it is not a managed switch, you could use ettercap for
> > arp-poisoning the switch, but better ask your administrator first.

> Huh ? What has ARP to do with a switch ?

Perhaps Christoph meant to overflow the switch's fowarding tables and
got terms confused?

rick jones
--
The glass is neither half-empty nor half-full. The glass has a leak.
The real question is "Can it be patched?"
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

kevincw01 <(E-Mail Removed)> wrote:
> What the heck is going on and why can't I record this traffic?

To explicitly say what I don't think has been said explicitly, the
switch is doing precisely what a switch is supposed to do - provide
traffic isolation. So the traffic between the two Windows systems
only flows over the two ports of the switch to which they are
connected. That is what separates a switch from a hub.

rick jones
--
No need to believe in either side, or any side. There is no cause.
There's only yourself. The belief is in your own precision. - Jobert
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Rick Jones schrieb:
> Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
>> Christoph Scheurer a ?crit :
>>> If it is not a managed switch, you could use ettercap for
>>> arp-poisoning the switch, but better ask your administrator first.
>
>> Huh ? What has ARP to do with a switch ?
>
> Perhaps Christoph meant to overflow the switch's fowarding tables and
> got terms confused?
>
> rick jones

Right, I mixerd up two different things.
One is the ARP-Poisoning of the Hosts, so to get the Servers to send
Traffic targeted to Host2 gets sent to the wrong MAC-Address, where
it can be sniffed and forwarded to the right host.

Second is the one you said, overflooding the MAC-Cache and maybe
force the Switch to send traffic to all ports and therefoe acting
like a hub.

Am I right?

Chris

kevincw01 schrieb:
> On Aug 3, 9:16 am, Christoph Scheurer <cyberf...@rebmatt.ch> wrote:
>> kevincw01 schrieb:> On Aug 2, 8:17 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
>>>> On Fri, 03 Aug 2007 02:30:41 +0000, kevincw01 wrote:
>>>>> I am tasked with recording some udp messages between 2 windows
>>>>> applications. I'm using a linux box with wireshark and tcpdump
>>>>> installed. I am on the same physical switch(tried 2 different ones) and
>>>> ....
>>>>> What the heck is going on and why can't I record this traffic?
>>>> Use a hub, not a switch.
>>> I'm required to use a switch(and a specific one).
>> If it is a managed switch, maybe you could set the port you use as
>> monitoring port, so that all traffic on the switch is sent out on
>> that port.
>> If it is not a managed switch, you could use ettercap for
>> arp-poisoning the switch, but better ask your administrator first.
>>
>> If none of these work, forget it.
>>
>> Greets
>> Chris
>
> I was thinking about the mirroring option. Is there some name or
> standard this is normally called out as in a manual or spec? I want
> to see if my switch supports this. Since I need to see traffic from
> two ports, I'm guessing I would need to mirror two ports to two other
> ports since it doesn't seem logical to be able to send 2GBps to a
> 1GBps port.
>
When you now the vendor and/or the S/N -> http://www.google.com is the
right way to find the manual.
It should be possible that you forward all traffic (of both ports you
like to monitor) to _one_ port.