To everyone who claims linksys hubs are switches, the guy in this http://seq.sourceforge.net/showthread.php?s=&threadid=444 thread is 100% correct.

Taken from the linksys page http://www.linksys.com/support/support.asp?spid=7#general down at the bottom of that section:

Switch VS. Hub. All Linksys Switches provide for Full-Duplex speed and cut down the traffic on the network by sending the packets only to the port on the workstation is to receive the information. The Linksys hubs only operate at Half-Duplex speed and they broad cast a packet to all the nodes on the network (the Auto- sensing hubs broadcast the 10Mb packets to the port that operate at 10Mb only and broadcast the 100Mb packets to the ports that operate at 100Mb only.

Linksys hubs will work fine for sniffing if you have your nics going the same speed. It just broadcasts traffic between 100/100 ports, and 10/10 ports - not 10 to 100 and vice versa. As your attorney I advise you to consult your system documentation to figure out how to set your nics into 10bTX - I use freebsd mostly, but I believe it can be accomplished in Linux easily if you load your nic driver as a module..hope this helps.

I hear this applies to netgear 10/100's too. I would guess something like that would be applicable to all 10/100 hubs.

to me, this seems semi-contradictory to what i have seen in the wild. i own two linksys hubs myself, both a newer one (8port) and an older one (5port). when i first set up my network, i did it in such a way that i could sniff packets and i thought nothing of it. i would see posts about people not being able to use their linksys hub as a hub and think they were stupid.

then, i moved and of course had to re-assemble my network. this time, i did it in a slightly different way and suddently (with the same hardware) i could no longer sniff packets at all. after going over everything i changed, i found some odd quarks with the linksys hubs.

IF everything on the hub runs at EITHER 10mbit OR 100mbit, it acts as a switch. i only have ONE device that is 10mbit and that is my router (which does NOT run seq). when this device was NOT hooked to the same hub as the eq/seq computers that run at 100mbit, i could NOT sniff traffic.

IF one device (but NOT your seq or eq) runs at the OTHER speed (ie, eq/seq == 100mbit and something is 10mbit) then for some reason the 100mbit planes and the 10mbit planes become hubs, BUT not between them.

i find it pretty hard to explain this, as i am not sure at ALL why it does this. i tested this three or four times when i discovered it because i thought it was retarded.

lemme see if i can draw a nice retarded diagram of my network, just cause i like ascii art!

[internet] -> [10mbit eth0 router 10mbit eth1] -> [hub1] -> [hub2]

[hub1] -> 10mbit odinseye box, 100mbit seq box, 100mbit computers

[hub2] -> 100mbit computers

now, since the 10mbit router is hooked to hub1 it becomes a hub on the 100mbit portion and the 10mbit portion. one sniffer runs at 100mbit, the other at 10mbit. since data travels between the 10 and 100mbit to go from network -> internet the 10mbit sniffer can actually sniff. if i were to hook it to hub2, it would make any 100mbit device on hub2 able to sniff but NOT the 10mbit device itself. i don't know why this is!

That is pretty whacky. Myself, I just have a 5 port linksys autoswitching hub, my fbsd router/firewall has 2 nics, both running at 10mb, my other freebsd machine that runs showeq runs at 100mb, and my xp box runs at 100mb.

Wasn't sniffing any traffic from the fw -> xp machine on my other fbsd machine, knew that linksys claimed to be a hub, so I started poking around. Then I changed the speeds on -all- my nics to 10bTX and I can sniff like there ain't no tomorrow.

As for your situation, it makes my head hurt hehe. Something funky with autosensing and the uplink port between hubs? I saw some other stuff on linksys's site about it, can't remember specifically where. Here's their faq site if it helps: http://www.linksys.com/faqs/ They suck pretty bad

A showeq version with ettercap type source ported in would be cool. It claims to be a switched network packet sniffer (that part of it actually works) - along with a bunch of other things (which mostly don't). http://ettercap.sourceforge.net/ if you're interested, or just bored. (The code for that is pretty ugly and Strange)

I haven't even really looked at seq source much yet, just started playing with it a few days ago.

I'm with fryfrog here, I have tested 2 Linksys "hubs" which do not work for packet sniffing in the exact configuration as my two Netgear hubs which do.

I think fryfrog is close to the issue, when only one plane is in use, it switches that plane. When both planes are in use, it switches between the planes (and both planes broadcast to themselves). I have not tested this in the wild, but as I said above, I have tested the same configuration with different 10/100 "hubs" and the Linksys ones have failed.

For new people that are going out to buy hubs and dont have complex setups like some other people around here, I would highly recommend getting a Netgear hub. (EN106 and DS104 both work with all 100Mbit devices). Quite a few people have posted here with problems using an off the shelf linksys, these problems were then fixed by switching to another hub.

If you're buying a new hub for this stuff, definitely go with the ones that people have gotten to work with no problem. I just posted what I dug up for people who were stuck with a linksys autosensing 10/100 who don't want to go out and buy a new one without trying a few things to get it working first..

A friend of mine has an 8port linksys hub, going to see if he can get it sniffing traffic between ports or not. I'll post the result here at some point

I have to say that I have experienced the same thing as Fryfrog and High_jeeves. I setup showeq at my Brothers place and he had a 10/100 linksys 5port "hub" and in every configuration I tried it would not sniff packets.

I tried All systems at 100Mb (this was how they were setup initially). Then all systems at 10Mb. Then the showeq box at 100MB withe EQ box at 10Mb and Vice Versa.... Not matter what I did it was a no go... oh well..... /shrug

We ended up going down to the local Mom-&-Pop PC store and bought a 10baseT 8 port hub for like $8 and it work without a hitch...

Originally posted by yassar
A friend of mine has an 8port linksys hub, going to see if he can get it sniffing traffic between ports or not. I'll post the result here at some point

Whether it works or not could you post the Model number of that hub so people know exactly what to buy or not.

"IF everything on the hub runs at EITHER 10mbit OR 100mbit, it acts as a switch"

Please stop this insanity. I'm not sure why this keeps coming up, but....A hub cannot ACT as a switch, It's either a hub OR a switch. Just as the original poster stated, the only difference between a hub and a switch is that "it cuts down the traffic on the network by sending the packets only to the port on the workstation is to receive the information", that's it, nothing more. A hub sends broadcasts through to all nodes on that hub. That's why a hub will allow the SEQ machine to sniff and a switch won't.

Also, autosensing between 10Mb and 100Mb has NOTHING to do with it being a hub or a switch.

Look in your documentation, somewhere it will say, "oh by the way, I'm a switch"...you can't go by what the box tells you sometimes. Check online if you have to or give me the model number, I'll look it up.

I really hate to keep harping on this, but it's getting to the point it's being asked more times than "where can I download SEQ/libeq.a?"

Ummm, thanks for the input. I think when he says a hub ACTS like a switch he means something clearly marked as a hub IS a switch in certain configurations. Something along the lines of, "My car acts like a steamroller when it hits a cat." Obviously I'm not implying I'm driving a steamroller... but I digress.

Actually Ataal, while a hub cant act as a switch, a switch can act like a hub (most "real" switches allow ports to listen in on other ports traffic as a configuration option).

I think the point here is, some of the "hubs" are really switches, but in certain configurations can be forced to broadcast packets. I was in a bestbuy today, and i looked at the "hub" aisle, many of these devices (the linksys in particular) are listed as switching hubs or just hubs (although the fine print describes them as a switch). My guess it that this is done because 99.9% of the people who buy these devices dont care either way.

Managed Switches are not cheap. They are the ones that tend to have the feature to span/mirror traffic from one port to another and most likely won't be found in your $30 unmanaged off-the-shelf switch.

I agree, I wasnt suggesting that the cheap off the shelf switches are manageable, but was simply using it as an example of how a switch can act like a hub. I am not suggesting that anyone go spend $25K on a SonicWall or something for their ShowEQ network :)

Ataal, go buy one of these linksys "hubs" and see for yourself. i'm not stupid, i KNOW what a hub is and i KNOW what a switch is. i also know how these two SHOULD behave. when i hook up a linksys hub in certain ways, i can make it ACT like a hub or i can make it ACT like a switch. end of story. its not "insanity" it is how it actually works in real life. so until you go buy one of these stupid hub-switches, just spouting off the theory behind hubs and switches doesn't really help anyone.

I sent off an email to linksys in hopes of getting some clarification. Ataal, read what I said, and pasted from linksys's site. The 10/100 autosensing hub claims to broadcast traffic between 10/10 ports and 100/100 ports, but not 10/100 and vice versa. Like monster69 said in a post I linked to:

"The less expensive 10/100 hubs are basically 2 devices in one. there is a 10Mb hub and and 100Mb hub attached to each port. the port autosenses the speed and connects to the appropriate hub. In the back of the unit is a switch that handles traffic flow between the 10Mb side and the 100Mb side."

That is in line with what linksys says here. http://www.linksys.com/support/support.asp?spid=7#general

This has been the case with my linksys hub, model number EFAH05W 5 port autosensing 10/100. This is not to say that you should choose this hub over one that works with no problem if you're buying a new one. Another interesting thing that this thing will do is, with everything at different speeds, if you plug a cable into the uplink port then the machine you wanna sniff stuff with, it'll show all traffic (which makes sense as it has to broadcast it to the segment it's linking to).

Empirical data suggests there is some problem with linksys hubs not broadcasting traffic in general, fryfrog sounds like a clued individual who has done some testing to replicate situations it will broadcast traffic like a hub, and situations it will not. Obviously there is -some- problem with the linksys hubs not behaving like a true hub, otherwise we wouldn't be here.

I was simply trying to present a few options for people with linksys hubs that aren't sniffing traffic, other than buying a new hub. Right now I'm waiting for an authoritive response back from linksys that might clear this up for everyone, don't hold your breath though. Will post any reply here.

wow, your point about the uplink port is an awsome one that i never thought of before. i know that usually the uplink port is shared with another port, i wonder if that counts? if you use the uplink port to goto a normal computer i would assume you need a crossover cable, but i'm not sure. i'll have to check and see which ports my sniffing computers are hooked up to.