Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Eavesdropping

  1. #11
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    I think there is or is going to be something about Ettercap in the AO newsletter, done by msmittens, I think....

    so that be worth checking out

    i2c

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    oyao:

    Note: Google the names I mention to find the applications.

    My personal favorite sniffer is Ethereal but there are plenty of others such as Windump and TCPdump that are very functional and tend to use compatible output formats.

    Sniffing is accomplished by putting the network card into promiscuous mode - not all cards can be put into this mode so it won't always work but most cards can be dropped into it by using LibPCap or WinPCap.

    A NIC in "normal" mode only passes packets destined for it's own MAC address or broadcast packets up through the system for processing. Thus sniffing without being in promiscuous mode is like eavesdropping on your own phone call - It may have some uses but it isn't nearly as much fun as eavesdropping on someone elses...

    I won't try to explain everything in the packet dump below. If you have questions ask them and I'll explain what I can.

    I can tell you that the source machine is 192.168.1.102, ( Windows XP laptop). The destination machine was 192.168.1.1, (a linksys wireless router/firewall). the command issued to create the packets sent and received was:

    ping 192.168.1.1

    For brevity what you see is an ICMP Echo_Request, (Type 8), with it's associated ICMP Echo_Response, (Type 0), making a total of two packets in all. If you read it line by line and do a bit of "Googling" it actually makes a bit of sense......

    Note: Ethereal calls the packets "Frames" thus the first packet is "Frame 1" and the second is "Frame 2".

    Begin text
    ===============

    Frame 1 (74 bytes on wire, 74 bytes captured)
    Arrival Time: May 28, 2004 16:52:15.311919000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 74 bytes
    Capture Length: 74 bytes
    Ethernet II, Src: 00:06:25:43:41:19, Dst: 00:06:25:a4:24:44
    Destination: 00:06:25:a4:24:44 (LinksysG_a4:24:44)
    Source: 00:06:25:43:41:19 (LinksysG_43:41:19)
    Type: IP (0x0800)
    Internet Protocol, Src Addr: 192.168.1.102 (192.168.1.102), Dst Addr: 192.168.1.1 (192.168.1.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 60
    Identification: 0x1007 (4103)
    Flags: 0x00
    0... = Reserved bit: Not set
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: ICMP (0x01)
    Header checksum: 0xa702 (correct)
    Source: 192.168.1.102 (192.168.1.102)
    Destination: 192.168.1.1 (192.168.1.1)
    Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0x4a5c (correct)
    Identifier: 0x0200
    Sequence number: 0x0100
    Data (32 bytes)

    0000 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
    0010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi

    Frame 2 (74 bytes on wire, 74 bytes captured)
    Arrival Time: May 28, 2004 16:52:15.314535000
    Time delta from previous packet: 0.002616000 seconds
    Time since reference or first frame: 0.002616000 seconds
    Frame Number: 2
    Packet Length: 74 bytes
    Capture Length: 74 bytes
    Ethernet II, Src: 00:06:25:a4:24:44, Dst: 00:06:25:43:41:19
    Destination: 00:06:25:43:41:19 (LinksysG_43:41:19)
    Source: 00:06:25:a4:24:44 (LinksysG_a4:24:44)
    Type: IP (0x0800)
    Internet Protocol, Src Addr: 192.168.1.1 (192.168.1.1), Dst Addr: 192.168.1.102 (192.168.1.102)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 60
    Identification: 0x1007 (4103)
    Flags: 0x00
    0... = Reserved bit: Not set
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 150
    Protocol: ICMP (0x01)
    Header checksum: 0x9102 (correct)
    Source: 192.168.1.1 (192.168.1.1)
    Destination: 192.168.1.102 (192.168.1.102)
    Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0
    Checksum: 0x525c (correct)
    Identifier: 0x0200
    Sequence number: 0x0100
    Data (32 bytes)

    0000 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
    0010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi

    ============
    End text

    Hope this helps some.... Ask away.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    Senior Member
    Join Date
    Mar 2004
    Posts
    111
    Can u explain the sniffing process by a using a tool and show a example?
    Hey,

    Read the tut again then use a search engine to answer some questions you may have....you`ll be surprised what you find.

    Kudos...Good tutorial


    edit - ...Or just read Tiger Sharks reply
    NORML

    Signature image is too tall!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •