Sniffing somewhere in the internet
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Sniffing somewhere in the internet

  1. #1
    Junior Member
    Join Date
    Sep 2002
    Posts
    20

    Sniffing somewhere in the internet

    I was wondering something.. When i read that people sniff tcp/ip packet on the net, they have to be physically at a provider place, hu ? I mean if they did not break into a provider router, how can you sniff packet from the net then ? I did it on a LAN, but if I want to sniff packet that goes to A0L members for example, i would have to be somewhere in A0L network, hu ?

    thank for the answere
    Code free or die.

  2. #2
    Senior Member Unl3Ashed's Avatar
    Join Date
    Aug 2002
    Posts
    103
    I am not sure, may be I am wrong, But as far as I know the packet sniffing can ONLY be take place in ISPs, I mean those who are between you and AOL. Correct me if I'm wrong. Thanks.

    Cheers
    "Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
    - Albert Einstein

  3. #3
    Junior Member
    Join Date
    Sep 2002
    Posts
    20
    Yeah, this is what I though, unless you hacked a box at your ISP or just before the place you want to sniff.. Thank you for confirming that :-)
    Code free or die.

  4. #4
    Senior Member SodaMoca5's Avatar
    Join Date
    Mar 2002
    Posts
    236

    Packet Sniffer

    A packet sniffer can only analyze data that goes through the machine it is set up on. If you load a local software version it will be able to access any packet that comes into or out of your machine. This includes all broadcasts and direct communication. If you are connected to a hub (I.E. you are using shared vs. switched technology) you can capture all of the data into and out of that hub because it all comes to your machine and is either accepted or rejected. However with a properly set high end switch (with layer three switching on) you will not see direct transmissions to the other ports. If you have control of the switch you can mirror other ports to your own. This can overload your connection since you will be having the potential bandwidth of all of the ports you are mirroring hitting yours alone. Also, one caveat to the hub. Many 10/100 hubs actually are two hubs bridged together. So if you are running at 100 mbps you will only see the direct traffic on the 100 mbps ports, same with 10 mbps.

    With a router you will only get information on the subnets it supports. However, since you are "in" the router you really won't be capturing raw packet data except through the router's own interface. You need to have a sniffing device or machine on the ports leading to the router to get all of the raw data. If you control the router you can set traps to inform you when certain conditions or packets are being sent through it.

    I am assuming you would really want this on your own network. So using strategically placed sniffers you can check traffic on your network or use them to troubleshoot problems. However, they should be placed on subnets or multinetted segments and you need to be careful what type of device you are connecting to ensure you get the information you are looking for.

    BTW I would certainly consider it a black hat attack if I found someone had loaded a packet sniffer on my network with out my permission.
    SodaMoca5
    \"We are pressing through the sphincter of assholiness\"

  5. #5
    Junior Member
    Join Date
    Sep 2002
    Posts
    20
    hi :-)

    Yeah, this is what I though.
    I was wondering myself about those who clamed to sniff some packet going to a corporation. At my point, to do so, you HAD to run something like tcpdump / ethereal / whatever on a box that is bedofre the corporation router (wich you call black hat attack/sniff), OR you HAD to be at the provider and put a sniffer somewhere, in promiscious mode (?) and tell the switch to broadcast all the ports on your ports.

    am i right on this one ?

    thanks
    Code free or die.

  6. #6
    Senior Member SodaMoca5's Avatar
    Join Date
    Mar 2002
    Posts
    236
    If I understand your comment right, yes. I think you are understanding it correctly.
    SodaMoca5
    \"We are pressing through the sphincter of assholiness\"

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    an arp flood can be done to some switchs, effectively turning them into hubs.

    TCP Packets can be constructed to confuse a router into sending all communucation threw you.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Senior Member
    Join Date
    Jul 2002
    Posts
    225
    Yes tedob1 there are many good tools that do that, such as dsniff, and my current fave, ettercap. This is an element of the infamous man-in-the-middle attack. Through arp cache poisoning, you can make YOUR machine effectively get treated as the default gateway on a switch, and then forward all packets to the actual gateway.
    \"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
    -Bad Religion

  9. #9
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    I think that when our LAN/WAN team here needs to monitor all traffic on a switch (across VLANs, I believe), they setup I think what they call a span port so that they can catch all of the traffic. Feel free to correct my wording. As you can tell, I don't have experience in this area.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  10. #10
    Junior Member
    Join Date
    Sep 2002
    Posts
    20
    this is the right word.
    when use plug computers into a hub, any port can listen in 'promiscious' mode because the packets are broadcasted. In a switch, the switch know where the packet from computer A has to go to reach computer B, so there is no more broadcast. If you want to listen to everybody, then you need to create a 'span port' wich will be abble to read all packet from everyports. :-)
    Code free or die.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •