David Nicol wrote:
I want to sniff all traffic on the upstream link at my installation. I have a wire that comes into my cisco router from the CSU/DSU. The question is, is this wire a normal ethernet wire, so that I could plug it into a hub and plug the hub into the Cisco, that is, put a hub in line with it, or is it something else?
I already have the crossover cable for the new connection, if plugging the CSU/DSU wire into a hub is in fact copasetic.
If your upstream connection is cable, DSL, or some sort of metropolitan area Ethernet service (e.g. GigaMAN), then this would probably work. You say you have a CSU/DSU however, so I'm assuming your upstream is a T1 of some sort.
Unfortunately, trying to capture T1 traffic with Ethernet equipment won't work. The signaling used by CSU/DSUs is incompatible with Ethernet -- the frequencies, encodings, and algorithms are completely different. The plugs and (I think) pinouts are the same, but that's about it. Capturing data directly from a T1 requires expensive equipment from places like Network General or GL Communications.
Capturing data on the LAN side of your router is much cheaper and easier. The Ethereal wiki has a page on Ethernet capture at
http://wiki.ethereal.com/CaptureSetup_2fEthernet
Depending on your network you might have to apply some sort of capture filter to make sure you only catch data to and from your upstream connection. Something like
ether host nn:nn:nn:nn:nn:nn and not ip host x.x.x.x \ and not broadcast and not multicast
where nn:nn:nn:nn:nn:nn is the MAC address of your router's Ethernet port and x.x.x.x is the IP address of your router's Ethernet port should work.