-
May 28th, 2004, 05:01 PM
#11
I think there is or is going to be something about Ettercap in the AO newsletter, done by msmittens, I think....
so that be worth checking out
i2c
-
May 28th, 2004, 10:14 PM
#12
oyao:
Note: Google the names I mention to find the applications.
My personal favorite sniffer is Ethereal but there are plenty of others such as Windump and TCPdump that are very functional and tend to use compatible output formats.
Sniffing is accomplished by putting the network card into promiscuous mode - not all cards can be put into this mode so it won't always work but most cards can be dropped into it by using LibPCap or WinPCap.
A NIC in "normal" mode only passes packets destined for it's own MAC address or broadcast packets up through the system for processing. Thus sniffing without being in promiscuous mode is like eavesdropping on your own phone call - It may have some uses but it isn't nearly as much fun as eavesdropping on someone elses...
I won't try to explain everything in the packet dump below. If you have questions ask them and I'll explain what I can.
I can tell you that the source machine is 192.168.1.102, ( Windows XP laptop). The destination machine was 192.168.1.1, (a linksys wireless router/firewall). the command issued to create the packets sent and received was:
ping 192.168.1.1
For brevity what you see is an ICMP Echo_Request, (Type 8), with it's associated ICMP Echo_Response, (Type 0), making a total of two packets in all. If you read it line by line and do a bit of "Googling" it actually makes a bit of sense......
Note: Ethereal calls the packets "Frames" thus the first packet is "Frame 1" and the second is "Frame 2".
Begin text
===============
Frame 1 (74 bytes on wire, 74 bytes captured)
Arrival Time: May 28, 2004 16:52:15.311919000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 74 bytes
Capture Length: 74 bytes
Ethernet II, Src: 00:06:25:43:41:19, Dst: 00:06:25:a4:24:44
Destination: 00:06:25:a4:24:44 (LinksysG_a4:24:44)
Source: 00:06:25:43:41:19 (LinksysG_43:41:19)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.1.102 (192.168.1.102), Dst Addr: 192.168.1.1 (192.168.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x1007 (4103)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: ICMP (0x01)
Header checksum: 0xa702 (correct)
Source: 192.168.1.102 (192.168.1.102)
Destination: 192.168.1.1 (192.168.1.1)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0x4a5c (correct)
Identifier: 0x0200
Sequence number: 0x0100
Data (32 bytes)
0000 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
0010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi
Frame 2 (74 bytes on wire, 74 bytes captured)
Arrival Time: May 28, 2004 16:52:15.314535000
Time delta from previous packet: 0.002616000 seconds
Time since reference or first frame: 0.002616000 seconds
Frame Number: 2
Packet Length: 74 bytes
Capture Length: 74 bytes
Ethernet II, Src: 00:06:25:a4:24:44, Dst: 00:06:25:43:41:19
Destination: 00:06:25:43:41:19 (LinksysG_43:41:19)
Source: 00:06:25:a4:24:44 (LinksysG_a4:24:44)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.1.1 (192.168.1.1), Dst Addr: 192.168.1.102 (192.168.1.102)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x1007 (4103)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 150
Protocol: ICMP (0x01)
Header checksum: 0x9102 (correct)
Source: 192.168.1.1 (192.168.1.1)
Destination: 192.168.1.102 (192.168.1.102)
Internet Control Message Protocol
Type: 0 (Echo (ping) reply)
Code: 0
Checksum: 0x525c (correct)
Identifier: 0x0200
Sequence number: 0x0100
Data (32 bytes)
0000 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
0010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi
============
End text
Hope this helps some.... Ask away.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 29th, 2004, 12:15 AM
#13
Can u explain the sniffing process by a using a tool and show a example?
Hey,
Read the tut again then use a search engine to answer some questions you may have....you`ll be surprised what you find.
Kudos...Good tutorial
edit - ...Or just read Tiger Sharks reply
NORML
Signature image is too tall!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|