No announcement yet.

Setting up a Sniffer outside of the firewall

  • Filter
  • Time
  • Show
Clear All
new posts

  • Setting up a Sniffer outside of the firewall

    I am working with my ISP to determine why I'm getting RST packets when external devices are trying to connect to internal devices. I ran WireShark on the internal network but now the ISP would like me to get a packet capture between the incoming router and my firewall.

    I don't have a hub or managed switch that I can use but I do have an available Windows 2003 server with two NICs. Is there a way to configure Windows 2003 so that the traffic will just flow through the two NICs without my having to assign them IP addresses. Basically, I just want it to act like a repeater so that I can monitor the traffic. TIA for any advice.

  • #2
    Re: Setting up a Sniffer outside of the firewall

    sounds like you want a Passive Ethernet Tap.
    I wouldn't recommend really doing it with a server if it can be avoided, and infact you almost certainly can't do it without assigning addreses

    (note, neither I, nor I'm sure the site administrators or moderators, recommend or suggest, consider or plan, that you would use this sort of thing in any method, manner or way for which you are not authorised, or on a network that you do are not responsible for. IE, Be Good.)

    Try this:

    It may not be an exact solution, but it should help you get there. It would need to go between the cable on the firewall, and the router. You'd then plug a laptop with a promiscuous-capable network card into the newly created port, and set it to capture in promiscuous mode. This should then see EVERYTHING that goes across that line.
    It'll generate ALOT of data though. Make sure your connections are very secure, else you'll start seeing random network oddness if the wires aren't properly pinned down and stuff.
    Last edited by tehcamel; 12th November 2010, 21:45.
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Setting up a Sniffer outside of the firewall

      Thanks for the idea tehcamel. It actually looks like a fun way to approach this. I actually ended up just purchasing a cheap hub from BestBuy and got the capture that way. Still haven't figured out why connections are getting reset but we're one step closer.