I want to use a laptop under OpenSuse 12.3 for network monitoring.
I’ve configured a switch for port monitoring and plug my laptop on the monitor port (I already done this with an ubuntu laptop without any problem).
I’d like to use iftop but I’m encountering a problem:
If I launch iftop alone, it only shows broadcats and local transactions (from and to the laptop).
If I open Wireshark and perform a capture on eth0 at the same time I use iftop, I can see every traffic I want to monitor.
I thought it could be an iftop problem but I tried with iptraf and it’s exactly the same.
Well, I think that something is blocked if wireshark is not performing a capture but I don’t know where/what to search.
I tried to disable Firewall but it doesn’t change anything.
The first step is to first eliminate any Network issues which might be blocking… eg
port-based firewalling, most often associated with “better” wireless access points. Recommend initially wired only connections unless you’re also running a wireless pen app.
network switches which block, either port-based switching or configured vlans.
If you’re not sure, setup a test scenario where you connect directly with another machine (eg crossover cable) or a known and proven hub (not switch) which won’t block.
After eliminated external issues, the most common issue for what you’re describing is whether your NIC driver is compiled to support and enable promiscuous mode.
If you haven’t heard of promiscuous mode,
Under normal conditions, NICs should be configured to ignore traffic that isn’t addressed to the local machine. If the NIC didn’t automatically ignore, a process would be created and moved up your OS stack untils something (eg the OS itself) determined that the traffic wasn’t meat for the machine, using up valuable CPU cycles and resources. If the NIC ignores, then no resources are wasted.
But the apps you want to run actually want to listen to traffic that’s not directed to that machine.
Been awhile since I’ve dealt with this, when I first installed openSUSE on my pen testing laptop, initially my NIC firmware wasn’t compiled to support promiscuous mode. I had to re-compile the driver to support and that was an adventure. But, since that initial install, I’ve both upgraded and installed new on my machine and the NIC drivers supported promiscuous mode (even enabled by default sometimes).
You’ll have to identify your NIC and do some research about the features of the installed driver. Pen testing guides often reference guides how to do this.
Thank you Tsu for your help and your explanations!
I was sure that there was no problem with my switch config because I already used the same laptop but under ubuntu to perform the same thing, but I didn’t remember that I had the same problem.
Anyway, you’re right Tsu, the problem was with promiscuous mode and the following command line helped me to solve it:
# ifconfig eth0 promisc
Seems that Wireshark enable this mode when capturing without typing this command.