HPE Community
Switches, Hubs, and Modems
1822215 Members
3665 Online
109642 Solutions
New Discussion юеВ

Re: monitoring msn traffic thru a monitor port

 
Hugo Tigre
Trusted Contributor

тАО02-12-2007 03:47 AM

тАО02-12-2007 03:47 AM

monitoring msn traffic thru a monitor port

Hi,

I'm trying to monitor MSN traffic connected to a monitor port.

I have already tried more than one model of HP switches and it doens't work.

I can sniff a lot of traffic thru the monitor port, but for some reason i can't snif msn traffic, other than from my one machine.

I also tried different software for this and none work.

Does anyone had this kind of issue.

best regards,
hugo
0 Kudos
11 REPLIES 11
Mohieddin Kharnoub
Honored Contributor

тАО02-12-2007 04:07 AM

тАО02-12-2007 04:07 AM

Re: monitoring msn traffic thru a monitor port

Hi

Most of ProCurve stackable switches allow you to monitor port(s).
But on the Intelligent switches, it allow you to monitor a whole Vlan.

Check your monitor port and Monitoring port settings, and use a good sniffer software like Wireshark (Ethereal).

You can use more simpler softwares like Microsoft TCPview or Atelier Web Ports Traffic Analyzer that allows you to such a good stuff:

http://www.microsoft.com/technet/sysinternals/utilities/tcpview.mspx
http://www.atelierweb.com/pta/index.htm

Good Luck !!!


Science for Everyone
0 Kudos
Hugo Tigre
Trusted Contributor

тАО02-12-2007 09:55 AM

тАО02-12-2007 09:55 AM

Re: monitoring msn traffic thru a monitor port

thanks MK,

but that that isn't really my problem.

I'm trying to use software dedicated to msn, so that i get the logs all pretty and nice to look at.

I use wireshark to do a lot of traffic capture, but for me to be able to filtrate all the logs, will be to much work.

Also the software i was using allowed me to encrypt the logs, so the will be some proof that none of the logs were tampered with.

One of the programs i was using was a open source on called, IM Sniffer.

And like i said i can capture, traffic from the machine where the software is installed, but thru a mirror port i cannot. This is weird because thru a mirror port i should be able to capture all traffic, including msn.

thanks for your help.
hugo
0 Kudos
Matt Hobbs
Honored Contributor

тАО02-12-2007 03:58 PM

тАО02-12-2007 03:58 PM

Re: monitoring msn traffic thru a monitor port

With wireshark/ethereal, you use the 'MSNMS' filter. As long as the port-mirroring has been setup properly and in the right location (as close to your internet connection as possible) you should be able to monitor all MSN traffic going through your network.

The 4100gl and 6100 have an ingress only limitation when it comes to traffic monitoring, and the 2650 you need to make sure that you're on the same ASIC (information on this in the firmware release notes). All other switches can mirror ingress/egress traffic without a problem.
0 Kudos
Matt Hobbs
Honored Contributor

тАО02-12-2007 04:00 PM

тАО02-12-2007 04:00 PM

Re: monitoring msn traffic thru a monitor port

Also just remember, that your sniffer gets attached to the mirror-port.
0 Kudos
Hugo Tigre
Trusted Contributor

тАО02-12-2007 10:04 PM

тАО02-12-2007 10:04 PM

Re: monitoring msn traffic thru a monitor port

thanks for the reply matt, but unfortunately i already tried that.

Yes, wireshark does have the "msnms" but it's kind a difficult to filtrate all the information with that.

And like i said i tested this in several scenarios with several different switches, and right now, I'm connected to a monitor port that is monitoring five ports, 4 of them are connected to computers with msn active, and the other port is connected to the gateway/internet.

And i can't understand why it's not getting msn traffic!!! If i use wireshark i can see that it's getting a lot of traffic from the other ports, but for some reason, msn traffic slips by :S

didn't anyone had issues with this already?

thanks anyway...
hugo
0 Kudos
DaGuru
Trusted Contributor

тАО02-13-2007 01:54 AM

тАО02-13-2007 01:54 AM

Re: monitoring msn traffic thru a monitor port

Hi Hugo,

Can IM Sniffer detect a machine local MSN conversation? If it can AND you can see MSN traffic coming in on the mirrored port with wireshark, I would suspect a problem with IM Sniffer or with how it is using WINPCAP. One other possibility may be with how well WINPCAP supports your NIC. You might consider trying a different NIC, but I would only suggest this as a last resort.

I looked at their support forum and it would appear that the tool does have some bugs. One thing I did not see was which version of WINPCAP it would work best with.
---------------------------------------------
I work for HP, but my posts and replies are my own.
0 Kudos
Hugo Tigre
Trusted Contributor

тАО02-13-2007 02:19 AM

тАО02-13-2007 02:19 AM

Re: monitoring msn traffic thru a monitor port

hi denis,

I tried it with two laptops with different NICs. I have the latest winpcap version, and i also tried before to use the one that came with the software. I tried 4 different programs, none of them can capture msn traffic thru a monitor port.

I've been looking thru documentation of HP, to see if there was a possibility i was missing something on the switch config. But i found nothing, the config is very straight forward.
0 Kudos
DaGuru
Trusted Contributor

тАО02-13-2007 02:38 AM

тАО02-13-2007 02:38 AM

Re: monitoring msn traffic thru a monitor port

I agree, it should be a very straight forward configuration.

I can see that you have rulled out the NIC. :-) What about being able to capture the conversation when its on the same machine you are capturing from? If it works, that may not tell us the whole story, as it would depend on where the sniffer is getting its information from.

What other sniffers have you tried so far?

---------------------------------------------
I work for HP, but my posts and replies are my own.
0 Kudos
Hugo Tigre
Trusted Contributor

тАО02-13-2007 03:03 AM

тАО02-13-2007 03:03 AM

Re: monitoring msn traffic thru a monitor port

they can capture local msn traffic only, but they all say in their specs that they can capture non local traffic.

i don't remember all the names, but so far i tried, IM Sniffer, MSN Sniffer 2, MSN monitor, Shadow IM Sniffer...

I'm assuming that it's impossible that all programs i tested are flawed in this kind if way. So the most be something with the capture drivers or something.
0 Kudos
Hugo Tigre
Trusted Contributor

тАО02-14-2007 01:50 AM

тАО02-14-2007 01:50 AM

Re: monitoring msn traffic thru a monitor port

problem solved:

it seams that none of the programs i was using worked with the latest winpcap version.

I downgraded the winpcap and now it works.

Thanks for all your help.

best regards,
hugo
0 Kudos
Hugo Tigre
Trusted Contributor

тАО02-14-2007 01:52 AM

тАО02-14-2007 01:52 AM

Re: monitoring msn traffic thru a monitor port

closed
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.