Security

Sinowal trojan: Three years old and just plain nasty

Sinowal is a dangerous piece of malware. Security analysts are just beginning to realize how much so. That's because the Sinowal trojan is unique in its attack vector, and we need to understand what's different about it.

I want to share my close encounter of the third kind with a trojan called Sinowal, also known as Mebroot or Torpig. The trojan is downright nasty, especially since it's purposed to steal people's identities and, more importantly, money. The fact that it's been around for almost three years and still going strong speaks to its tenacity.

In the beginning

A friend of mine who just returned from Germany called me in total-panic mode. His notebook was crashing randomly, and he was slated to give an important presentation the next day. Could I help? No problem, I said. Leave the notebook with me and use one of my computers. Seeing an obvious opportunity, I made sure to get assurance of dinner at the restaurant of my choice before turning over one of my notebooks.

My friend's presentation turned out fine, but I wasn't having any luck in finding out what was wrong with his notebook. It appeared to work just fine. I called and asked him if possibly the German beer hadn't clouded his judgment. He denied any wrongdoing, telling me to look elsewhere using words I'm not about to repeat.

Enough said, I decided to replicate the exact conditions under which the problem occurred, which meant allowing his notebook to access the Internet through my network. I normally don't like to do that with suspect computers, even on an isolated guest VLAN.

Strange encrypted outgoing traffic

To my surprise, the computer crashed shortly after being connected to the Internet. That's interesting; I've never experienced a situation quite like this before. I decided to see if I could capture enough Ethernet traffic from the notebook to determine what's going on before it crashes. In my second attempt, I was able to get several hundred packets before the notebook dumped.

I noticed right away that a significant portion of the capture consisted of encrypted packets aimed at one remote IP address. That seemed odd to me. So I used TrustedSource, an IP address/location Web site, and determined that the IP address belonged to a server in Eastern Europe. Oops, all sorts of bells began to go off. I hadn't even thought about malware possibly causing the crashes, but I can take a hint.

Malware alert

In a 180-degree turnaround, I did all the normal malware checks, especially making sure that the operating system (Windows XP Pro) and AV signatures were up to date. I ran some scans and didn't get any hits. Having been down this path numerous times, I was all set to reformat and reload, might as well just get it over with.

Being the ultimate in considerate, I called my friend and told him of my findings and possible bad news. He didn't appear to be in a rush for his notebook, mumbling something about mine working better than his. Actually, I was glad to hear that, because it took the pressure off and I really wanted to figure this out.

Give GMER a try I loaded GMER, my favorite scanner. Surprisingly it got right to the problem, as shown in Figure A.

Figure A

gmer.jpg

It didn't look good "sector 00:MBR rootkit detected." That's an immediate reformat/reload in my world. Still I was excited because this would be my first opportunity with this sort of malware. I started searching the Internet for information about MBR rootkits. What I learned was a bit scary needless to say. It appears putting MBR rootkit together with encrypted traffic gets you the Sinowal trojan.

I also learned that RSA FraudAction Research Lab has been following the Sinowal trojan for over three years, compiling some really interesting data about it:

"We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen."

How the Sinowal loader works

Sinowal uses the normal methods to gain access to the computer being attacked. Initially most infections were via e-mail links, but it now appears that drive-by droppers, such as NeoSploit on malicious Web sites, are the attack vector of choice.

Interestingly, Sinowal is selective about geographical location and incorporates an IP versus location application to focus on specific areas, and guess what, Germany is one such area. It's starting to make sense now. The way Sinowal gains a foothold on the computer is nothing short of ingenious and most likely why it's been able to survive for so long.

After the initial infection, the loader remains dormant for a certain length of time. I've heard that it's around six minutes, and the sole purpose of this is to fake out malware scanners. The scanners typically try the executable in a sandbox and see what happens. Since Sinowal doesn't do anything, the scanner is fooled.

Sinowal is also considered a Bootkit, meaning it overwrites the master boot record (MBR), allowing it to bypass Windows system functions. The following installation steps are the results of researchers reverse engineering one variant of Sinowal:

  1. First Sinowal reads the MBR and copies the partition table.
  2. Sinowal has its own MBR and incorporates the copied partition table into it.
  3. Now the sneaky part, Sinowal appends the original MBR into the last sector of the new MBR it created.
  4. Sinowal then writes the newly created MBR to disk.
  5. Next Sinowal waits. Like all MBR rootkits, the loader was able to alter only the MBR, and a reboot is required to start Sinowal's payload boot sequence.

The payload boot sequence is an intense process. If you're interested, the details are expertly explained by Peter Kleissner in his white paper "Analysis of Sinowal." The reason for the complexity is that ultimately Sinowal will have full control over Window's boot sequence on the infected computer.

What's really amazing is the boot sequence takeover is done without any additional malware running on the system. At first I didn't see the significance of this, but the report "MBR/Mebroot/Sinowal/Torpig Is Back -- Better than Ever" by TrustDefender Labs explains why this approach is devious and important to Sinowal's survival:

"How can Mebroot/Sinowal do their dirty work without a malicious component? Well, because Sinowal controls the boot sequence, it can inject the malicious code into legitimate Windows Components. It will hook key functions that the Internet Explorer will use to do its day-to-day job like sending and receiving encrypted data. Yes, you are right. Mebroot/Sinowal does have full control over the encrypted data stream as it has access to it before it will be encrypted and after it has been decrypted."

The reason this report interested me was the mention of encrypted traffic. That must be what I was seeing when I was trapping packets from my friend's computer. Now that Sinowal is loaded and situated on the victim computer, let's take a look at why it went through all this effort.

The real job of Sinowal

If you remember, I said that Sinowal's whole reason for being is to steal identities and money. Also remember in the TrustDefender article where it says that Sinowal can completely take over the Internet session, well that's where the problem starts. Let's follow the steps of a phishing attack that could've happened to me if I had continued to use my friend's notebook:

  1. I decide to go to my bank's portal, logging on with my personal credentials.
  2. Depending on which Sinowal variant is used, Sinowal now has my personal information or it could ask me for more information by injecting additional HTML code into the bank's Web pages that the browser is displaying.
  3. At predetermined intervals, Sinowal encrypts the captured data and sends it to command and control servers that have been preprogrammed into the malware, and we all know what happens next.

Significance of all this

I've been writing a lot lately about the various methods that attackers are using to steal personal and financial information. The common threads for all the attack venues I discussed are redirection and deception. Using Kaminsky's bug or the DNS Changer trojan allows attackers to redirect your Web browser to a malicious Web site. After the redirection, the attacker has two options. One, hope that the user will not notice HTTPS isn't set. Or two, the attacker sets up a forged SSL certificate exchange with a malicious Web server.

It's a complicated process that is good for us users, with many pieces needing to fall in place in order for the exploit to work. Sinowal avoids all the complexity, since there's no need for redirection and Web-site deception. The exploit is sitting on the computer. The banking Web site is the correct one and the SSL certificate isn't forged, so the user is totally unaware of any wrongdoing.

Sinowal's longevity

The title of this article mentions that Sinowal has been around for over three years now. One would think that the security analysts and AV companies would have this under control. Well, they originally thought so too. If you check out the following graph (courtesy of RSA), it looked like Sinowal was getting eradicated in the first part of 2008:

stolen-accounts.jpg

So what created the resurgence? RSA in the article "One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts" explains that:

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006. And in addition to its longevity, Sinowal has also been evolving at a dramatic pace -- its rate of attacks spiked upwards from March through September of this year.

The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan's uninterrupted grip on infected computers. This diagram (see below) shows the rate at which the creators of the Sinowal Trojan have been creating new variants."

variants.jpg

Final thoughts

Sinowal is considered by security experts to be the most insidious and sophisticated piece of malware ever created. It hides below the operating systems, controls applications, and morphs all the time. If you ask AV companies, they will tell you that their applications detect and remove Sinowal. That's all well and good, but which variant are they referring to.

I successfully located Sinowal with GMER, but I know others that haven't been that lucky. I also have heard good things about TrustDefender Labs and their applications being able to nullify Sinowal. Other than that, there's little available to defend against MBR rootkits such as Sinowal. Not wanting to take a chance, I ended up reformatting and reloading the operating system on my friend's computer.

Depending on your point of view, the fact that Sinowal works only on MS operating systems could be a good or a bad thing. Also one point in favor of MS Vista is that it's immune to MBR rootkit attacks. Maybe it's time to switch to Vista or get MS to hurry up with Windows 7.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

96 comments
gfarler
gfarler

Can you provide the IP address mentioned in the article?

Michael Kassner
Michael Kassner

I just got back an e-mail from Ronen Tzur. A very cool guy and the developer of Sandboxie. One of my favorite applications for isolating unknown executables. This is what he said about Sinowal and Sandboxie: Several members have quizzed me as to whether Sandboxie would protect against the identity theft antics of Sinowal. Ronen's answer: "Hello Michael, I'm glad to hear you like Sandboxie. As for this Sinowal trojan, I read your summary of how it works, and I am fairly confident that if the initial infection you describe occurs under the supervision of Sandboxie, then the trojan will not be able to do anything. This is because Sandboxie never lets the programs it supervises "open" disk devices for direct access. Sandboxed programs can only access files. This means no access to partition table, to boot records, or to any arbitrary sector on any disk. The program can only access files through proper filesystem interaction, at which point Sandboxie further decides which file will be actually accessed -- one inside the sandbox or outside it. Having said all that, I must also point out that if a system is already compromised by this or any other trojan or malware, then Sandboxie is most likely not going to be able to hinder the operation of the existing malware. Although Sandboxie may still prevent new malware from latching onto the system." I'd like to thank Ronen for his fast response and developing an amazing product.

Photogenic Memory
Photogenic Memory

I'm gonna try this out on my home systems tonight after work! Thank god I use linux as well. Windows 7 hurry up!!!

gahmusic
gahmusic

I've been working in this business for nearly 15 years now and I have to say for all the problems malware and viruses cause they still only come second to the damage caused by inexperienced, inept over confident engineers or users who think they know everything there is to know about IT. Leave the slightest weakness in a network and they will find it, exploit it and usually cause damage as a result. At least you can format a workstation.

micha
micha

...why are Linux systems not vulnerable? Thanks, Micha

jim-f
jim-f

So what about using Fixmbr or some such utility? Also, I was wondering if anyone is creating a boot disk utility to scan and analyze the MBR for rootkits. I have found many MBR backup and restore utilities. But so far I have not found an easy way to examine and analyze the contents in the MBR and determine what is being loaded there. Maybe not worth the trouble. Just run fixmbr instead? Does anyone have any data on this? BTW: Good article. Keep em comin :)

sboverie
sboverie

Thanks for the information, I appreciate the view from inside to first find and then research this trojan. Most stories on virii skim the bare facts and do not give any real information.

Angel_Tech
Angel_Tech

great artice.. even if you dont have a 100% solutions, at least now you are aware of this. I've heard so many times of this rootkits malware.. but not being able to deal with them, you cant really tell much about it.. and thanks for the GMER tool.. it uses online scans.. which at first I didnt like, but since everytime you get infected the antivirus doesnt seem to work right, I think the online choice is a must-have now... Cheers :)

michaelsaltmarsh
michaelsaltmarsh

Thanks Michael, This one was very interesting :D Does this trojan still depend on the ignorance of the user to get it's original code to run, or are they personally installed remotely?

DeanTech
DeanTech

I know there are various packet sniffers out there, and I'm looking for a one that you could recommend. Which one did you use? Thanks

seanferd
seanferd

Sometimes quite rapidly.

Michael Kassner
Michael Kassner

I didn't keep that information as after a few days the server was no longer up.

seanferd
seanferd

I've read up on it several times, and I may have actually downloaded it, but I've never installed it. I've recommended it to others, especially those with kids. I'll have to check it out eventually, but I don't worry about getting infected so much, myself.

seanferd
seanferd

"Only Windows XP operating systems are affected, because of the file and mechanism dependencies of Sinowal. Sinowal includes statically signatures to find the respective code to hook in system files; they are static and may not be found in different file versions. Sinowal has following file dependencies: * Master Boot Record to be just one sector big * ntldr * ntoskrnl * memory directly after ntoskrnl in memory to be free * Partition Table may not be changed If the Bootloader in the previous Master Boot Record uses more than one sector the system will hang on startup, because original MBR can't load it's code and data and will fail fatal. If ntldr or ntosrknl doesn't fit versions required for the hook process you have luck and your system will not be affected at runtime." http://web17.webbpro.de/index.php?page=analysis-of-sinowal

Michael Kassner
Michael Kassner

If it's OK, I'd like to make two points. First, it takes a great deal of effort to even determine it's a MBR trojan. Finding it is not anywhere a sure thing either. Second, FixMBR should work for all variants, but I would be hesitant to say that any other malware scanner will be able to find and remove every variation. For example, I went through all that work and still rebuilt the computer. I could have saved hours of work, rebuilding the computer right away, but I was really curious.

seanferd
seanferd

but it won't remove the driver, kernel patches, installer, etc. GMER says their tool will do so: http://www2.gmer.net/mbr/mbr.exe Not sure exactly what you're looking for in boot record analysis, but an offline NTFS disk editor (something like Norton DiskEdit) would display the mbr, and there are slews of bootable/live cd (or even floppy) images for troubleshooting out there. I'm sure some have malware scanners which check the mbr. A few quick resources: http://www.geocities.com/thestarman3/asm/mbr/Win2kmbr.htm (Not just Win2k) http://dimio.altervista.org/eng/ (Has a tool which "visualizes" mbr, among other things. http://www.ultimatebootcd.com/index.html http://www.ubcd4win.com/contents.htm DIY, for those so inclined: http://www.nu2.nu/pebuilder/ http://articles.techrepublic.com.com/5100-10878_11-6123118.html http://articles.techrepublic.com.com/5100-10878_11-6160062.html

Michael Kassner
Michael Kassner

Thanks, Sean It's what started my quest as I couldn't find a great deal about Sinowal. I think it's because of Sinowal's resurgence and all of the year-end reports that publish losses due to ID theft

Michael Kassner
Michael Kassner

I really wanted to try and have it so others wouldn't make the same mistakes I did.

Michael Kassner
Michael Kassner

One of my sermons is to use Secunia and keep your computers patched. All drive-by droppers leverage a vulnerability in the OS or Web browser. There's not much else one can do, except be alert to added HTML or pop-up windows that are asking for information that you normally don't have to give.

robert.juric
robert.juric

It seems the only protection we have is to avoid those drive-by droppers by keeping our traffic legit.

Michael Kassner
Michael Kassner

I've been using WireShark/Ethereal since version 1. It's a great product. I just wish it worked better with wireless NICs.

bill.friday
bill.friday

Wireshark is opensource freewate that is available on Linux, Windows and U3. Once over the learning cure its great!!

Dumphrey
Dumphrey

are the best bet. Suspect computer and scanning computer on the hub, with a line leading to the internet. This will allow you to capture all the traffic. The Windows Packet Capture utility (download not installed by default) also works quite well, but I find filtering in Wireshark to be superior.

sohailniaz.khoso
sohailniaz.khoso

Dear What is your Question Tell Me I can Slow you Programing Langugae And Windows Probelm Thanx Regard SOhail Niaz Khoso +923337112989 From Pakistan Sukkur sohailniaz.khoso@gmail.com

Photogenic Memory
Photogenic Memory

The GMER scan went fine. It's a nice tool too! The sophistication of rootkits is soooo unnerving.

D-EIKE
D-EIKE

Does this mean, installing a boot manager like grub/lilo or else, prevents me getting this rootkit?

jim-f
jim-f

Thanks for your replies above. There are some good links there that I have not seen before. It seems to me that a very good tool would be a utility that runs from a boot disk that could analyze the MBR as to what it is actually loading. But this must be done without booting to the OS, of course (or the rootkit is active). Hence a boot disk like BART PE or such. I had a nasty run in with a rootkit that I only detected by monitoring network traffic. Every sort of scan after booting to the OS (Windows XP) or from alternate boot disks and scanning with a command line signature based scanner, all came up clean. There is more and scary data about that infection but it made me start backing up the MBR, re-initialize the MBR, backup the new MBR and compare the two backups. All from a boot disk, of course. I don't trust commercial AV products to scan the MBR and they would have to be run from a boot disk, not the OS. So it would be nice to have a utility for MBR analysis, backup, re-initialize etc that would run from a boot disk like BART PE. I just don't have the knowledge of low level programming for that.

seanferd
seanferd

I hadn't actually looked up and read anything like an infection case study or anecdote about sinowal et.al. Great article. I like detective stories.

Michael Kassner
Michael Kassner

It seems a whole bunch safer. I use a known good version of GMER loaded from a USP key, not one downloaded from the Internet at that precise moment. It affords me the comfort that the version I'm using is intact and not compromised.

Understaffed
Understaffed

My work network is all Cisco-switched (standard IOS) and VLAN'd- I've tried using WireShark to observe network traffic, but because my admin desktop is connected to the switch, all I see is the traffic between my PC and whatever is being sent to/from it specifically. Does an affordable solution exist to allow me to see packets on a remote workstation? A friend set up Linux and EtherApe at one point, and it was pretty useful, but that too had to be plugged into a hub off the switch.

seanferd
seanferd

This person is offering to help fix problems with bogged-down Windows machines. ?

Michael Kassner
Michael Kassner

Could you explain in some more detail as to what we can help you with?

Michael Kassner
Michael Kassner

That's what is a bit unnerving. It's like the Zero-day discussion we had. Zero-day is almost too late. The variant that gets found is dumped for a newer and stronger version. All that is required is the command and control servers to download the new domain names and such.

seanferd
seanferd

and one that isn't too pervasive at that, albeit successful.

Michael Kassner
Michael Kassner

I always want to make sure everyone understands that this malware morphs so often, that nothing is really for sure.

seanferd
seanferd

The rootkit may still be dropped on your system, but if certain requirements aren't met (Win XP bootloader and apparently some restrictions as to certain system file versions), it cannot fully infect your system and steal your banking info. If your system doesn't show itself as residing in certain geographical areas, sinowal may not even bother to infect. Since sinowal looks for particular code in particular sectors, and GRUB replaces that code with its own, sinowal would get lost or not attempt to install. Even though the Windows boot record is preserved elsewhere, this won't help sinowal. It's kind of limited that way.

Michael Kassner
Michael Kassner

Sinowal is one of a few that has had this much reverse engineering (by Peter) and then published. Its a good thing to be sure.

Michael Kassner
Michael Kassner

Hey, Sean You should read my comment about Sandboxie from the developer. It looks like it would be a way of avoiding the phishing attack.

seanferd
seanferd

Offline is the best way around operating systems and rootkits. Bootable USB flash drives are more flexible for this sort of thing as well (updating, etc.). I've been thinking about putting one or two together with my favorite tools when I've the time at some point. I just never see to get around to doing some of these things.

Michael Kassner
Michael Kassner

It also is obviously required to use that version of GMER on a LiveCD.

seanferd
seanferd

In general, I'd rather have the ability to scan offline, particularly if I don't want the machine network connected. In this instance, I particularly like the small & specific mbr.exe tool, in addition to GMER itself.

Neon Samurai
Neon Samurai

I remember reading about how to capture an analyse all at once. Wireshark can capture the traffic (cheers for clarifying etherape's damage) but can also use other capture devices. I was reading about wireless at the time so you opened wireshark then pointed it at the wireless traffic capture program and the two ran in tandem.

Neon Samurai
Neon Samurai

You can use something like tcpdump to capture the traffic then wireshark for the analysis. I'm sure it does capture also though.

Neon Samurai
Neon Samurai

Overwealm a switch with the right traffic and it may default to behaving like a hub; traffic transfer is the primary objective and we can make use of that. ;)

seanferd
seanferd

Angry IP Scanner is another.

pgit
pgit

BTW there is a command line 'replayer;' tcpreplay. For the tcpdump purist.

pgit
pgit

Wireshark does save output, it's only etherape that has no facility to save it's own output. But it does read tcpdump like a champ. It almost appears the authors intended it to be a file reader rather than a live sniffer, maybe there's a lot of overhead in saving to a file. But for a quick look at things, the graphic display is incredibly comprehensive. Running an arpscan concurrently with wireshark can help with troubleshooting latency or other transport problems. nmap + wireshark can help with services availability and performance. There's other tricks I've forgotten, been a while because everything has just been humming along so smoothly. =) (been lots of desktop malware work) But true to Tech Republic in general, and Mr. Kassner in particular, I now have a slew of new questions in my head... what is going on in that Cisco 3550 over there... ps-hope I didn't just jinx myself.

Michael Kassner
Michael Kassner

It an article from Jack Wallen. You might be interested in this. http://articles.techrepublic.com.com/5100-10878_11-5031581.html "EtherApe?s ability to read from a tcpdump file is good, because it allows an administrator to capture network traffic to a file and analyze that traffic either off-line or at a more convenient time. To take advantage of this feature, the tcpdump command?which will generate the file for EtherApe to read?must be employed with the -n and -w switches. The -n switch tells tcpdump not to resolve IP addresses, and the -w switch instructs tcpdump to write packets to a specified file instead of stdout. First, you have to capture the network traffic by dumping it to a file. To dump network traffic to a file, open a terminal window, su to root, and run the command /usr/sbin/tcpdump -n -w dump_file. Instead of getting your Bash prompt returned, you will see tcpdump: listening on eth0. Once you feel you have sufficient traffic saved to your file (running this command for two to five minutes will provide you with more than enough traffic), press [Ctrl]C, and the Bash prompt will return. Next, you'll open EtherApe and have it read the dump file. From the Bash prompt, enter the command etherape -r dump_file, and EtherApe will begin displaying the traffic listed in the file as if it were being captured in real time."

Michael Kassner
Michael Kassner

I forgot about that, I wonder if Etherape does that. I checked my notes and found that it's called a CAM attack: "The attack starts by having the attacker flood the network with forged gratuitous ARP packets that each contains unique source MAC addresses. This causes some switches to go into a hub-like mode forwarding all traffic to all ports. What happens is that once the CAM table is full, the traffic without a CAM entry floods on the local VLAN. The already existing traffic with existing entries in the CAM table will not be forwarded out on all of the ports. Now, with the traffic being broadcasted to everyone, there will be no trouble sniffing it."

Understaffed
Understaffed

When it was set up, it was on a Linux box- and I didn't know a dang thing about it (still don't). If there is a Win version, I'd be most interested in finding out about it! ;) I'd still have the problem of the switch vs. hub, but from what I'm seeing, that can be addressed

Neon Samurai
Neon Samurai

We'll have to see how close I guess but if you drop it on the switch then you have all the traffic at that point. Under the switch, you can spoof arp tables or convince the switch to behave like a hub; and you have all the traffic at that point.

Michael Kassner
Michael Kassner

I haven't heard of this application either. I also am very interested to hear how it captures all the traffic on a switch without spanning. If you have a second could you please go into more details.

Neon Samurai
Neon Samurai

I've never heard of wireshark/etherape not saving output. I know it's the go-to app for analyzing precaptured .cap and that it does package capture also. It won't let you save the capture file though? Very strange.

pgit
pgit

Unfortunately you can't save any output from etherape. =( But I run it all the time and I see all the traffic on a given segment, through numerous switches. Are you running a windows version? My system being Linux might be part of the difference. That and promiscuous mode on the adapter.

Michael Kassner
Michael Kassner

I get a little worried about crosstalk with the screw-down type. The twists are harder to keep when compared to the punch-down style.

brian
brian

in a Cisco switch I think you can define a monitor port. It might degrade your network a lot... I would consider forcing all switch ports to link at a low bitrate like 10Mb, leaving only the links leading to your station as gigabit. Might be able to rate limit too... It's been a while since I dug through IOS options and I don't have access to a Cisco right now. The option I'm thinking of would automatically CC every incoming packet to your admin station, but not other ports like a hub would. In a high traffic situation, I don't know if switch performance would suffer or if it would simply only send the packets it could through your connection. (Giving you a good picture of traffic but not all packets.)

Understaffed
Understaffed

Not knowing into which black hole my bandwidth is disappearing, I wouldn't be able to use the physical methods below- to use them, one must already have a suspect machine. I have an entire network I don't trust right now... :/ Thanks for the info- looks like I picked the wrong week to stop smoking/drinking/sniffing glue!

seanferd
seanferd

Much cheaper and somehow more elegant. I missed your earlier answer as I was having trouble getting comments to load, then managed to bypass it when the connection was working. Thanks! Very cool.

seanferd
seanferd

I hadn't even thought about it from that angle. Cool.

seanferd
seanferd

Please do tell me something about screw-type female RJ45 smart-jacks... I want to know. Even just a brand & part name/number. I'm very curious.

seanferd
seanferd

Nice solution. I'm always wondering if you can do stuff like that with all sorts of connections anyway. Neat stuff.

lmnogoldfish
lmnogoldfish

I gotta get me some of those! Thanks back! That will certainly save some grief and fingers. Now that you've released the scales from my eyes, I realize that one could just punch-wire 3 females together in a little box. Add 3 Cat 5/6 cables and Wireshark nirvana! About the wiring though, couldn't use the normal splits on the pairs. Just 1 to 1 to 1 2-2-2 etc. Thanks again for the article -- very good and informative.

Michael Kassner
Michael Kassner

I think the Y cable is great idea. I always carry a hub, but as you mentioned half duplex may be an issue. It might be easier to get one of those screw type RJ45 female smart jacks and just tie all three cables together in the jack. Thanks for sharing.

lmnogoldfish
lmnogoldfish

First, (if your switch supports it) you need to go into your switch and set the remote computer's switch port as the target of RMon (which would be set on your port). If your switch doesn't do RMon, you need a y-cable. (take two pieces of Cat5 or 6, connectorize one end each, and then put one end that has BOTH of the other cables in it. Might have to try a few times to get the cable to work correctly, and find a 'forgiving' end big enough for two wires in each connection, but it will be worth it.) Connect the offending PC to the switch with one of the ys, and your Wireshard PC on the other end. Voila'. (When looking for certain problems, hubs don't always pay off because the PC has to run half-duplex. Some network problems only occur in full-duplex and vice-versa.)

idowu.ogunde
idowu.ogunde

Yeah you can monitor traffic from other cisco switch ports by doing port spanning. Google " cisco port spanning " and that should give you links that will show you how to do it.

Editor's Picks