|How to monitor remote traffic|
|Written by Mike James|
|Monday, 12 April 2010|
Page 1 of 2
We have already looked at the basics of Microsoft Network Monitor 3.3, which is free-to-download software that works under Windows. Its operation is easy enough to understand - it reads the packets that pass through a network adaptor and collects data on them. You then analyse the data and come to some useful conclusion.
However, if you are new to the whole idea of network monitoring you might jump to some incorrect conclusions about what is possible and how to make some more sophisticated things happen. For example, suppose you want to monitor the traffic passing through a router? How can you achieve this relatively modest objective?
At a first look the solution might appear to be in setting the monitoring network adaptor into promiscuous mode - but there is much more to it than that.
Normal and promiscuous mode
The idea is that in normal mode a network adaptor only bothers to pick up packets that are addressed to its IP address and, of course it only sends packets that are from its IP address. What this means is that if you sit the network monitor in a machine that is connected to the network in the usual way you should only see local traffic, i.e. traffic to and from that particular machine. This isn't completely true because you might well also see packets which are broadcast to the network. Even so, the general principle is that a network card by default ignores packets that have nothing to do with the machine that it is serving.
If you switch a network adaptor into promiscuous mode then it will pick up and pass to the higher levels of the stack all of the packets that it sees. This doesn't affect the functioning of the machine and the applications running on it because these just ignore packets that aren't addressed to them.
To set promiscuous mode you simply click the p-mode button in the network adaptor window. Notice that not all network adaptors support p-mode but the majority do. Also notice that enabling p-mode will increase the number of packets seen by the machine and will cause the network monitor to have to work hard and it might even be so overwhelmed that it starts to drop packets.
So the solution to the problem of monitoring a remote router is to enable p-mode. If you try this you most likely will discover that nothing much changes. That is, in most cases the packets you see after enabling p-mode are the same as before you enabled p-mode and the reason is the way modern networks actually work.
In the early days network cabling was connected together using hubs. A hub is a very simple device which passes all packets to all of the network ports it supports. Today hubs have been nearly completely replaced by switches - in fact it is quite difficult to find a network hub on sale that doesn't turn out to be a switch on closer inspection.
A switch is much more intelligent than a hub in that it learns the addresses of the devices connected to each of its ports and then transfers only the packets addressed to that machine to the corresponding port. A switch reduces the overall load on segments of the network by not passing traffic that is of no interest to the machines connected to that segment. It’s a good idea, a very good idea, but it defeats the whole idea of setting the network adaptor into p-mode.
If the adaptor is connected to the rest of the network via a switch then, if everything is working properly, it will only see packets that are addressed to it and hence what it sees in p-mode or non-p-mode will be almost identical.
|Last Updated ( Sunday, 09 May 2010 )|