packet sniffing remote computer
Results 1 to 8 of 8

Thread: packet sniffing remote computer

  1. #1
    Member
    Join Date
    Apr 2003
    Posts
    95

    packet sniffing remote computer

    Just been playing about with a packet sniffer (Ethereal) andim amazed by the things it pulls up. I was wondering if its possible to packet sniff a remote computer. I know you could have a computer in promocius(spelling?) mode on a LAN but could a Cracker sniff packets from my computer over the internet? lol doing this has really made me relise the importance of encryption

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    You could try to use an ssh tunnel.

    Something like

    # ssh some.host tcpdump -w -F - | tcpdump -r -F -

    Please note that if you have just 1 nic on the remote host you will also sniff your own ssh session
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Member
    Join Date
    Apr 2003
    Posts
    95
    aha thx SirDice i will try that

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    As far as I am aware the answer is no, you cannot do that unless you can get on the connection before it leaves the external router, as once it does that then who knows where it will go. So to sniff traffic coming from someone somewhere else either take over their computer, or a network device that they go through, otherwise it won`t work.
    Quis custodiet ipsos custodes

  5. #5
    Junior Member
    Join Date
    Apr 2003
    Posts
    3
    Absolutely correct, you cannot sniff a remote machine because you can´t see the traffic because by default routers break the broadcast domains. So you can only see the traffic on your side of a router.

    Now if you have a DSL or Cable connection and DHCP with only 1 IP address from your ISP how can you sniff the, for want of a better term, local subnet from your ISP?

    Do this (assuming you have a 2nd router of your own doing NAT so you can have several PC's sharing your single IP):

    You must place the sniffer just behind of the cable modem/DSL router to see traffic there. In order to do this you must set up a PC with two NIC's and configure it to accept traffic from the cable modem/DSL router on the 1st NIC. Then sniff all traffic and pass thru all ports to the 2nd NIC. Then connect your internal router to the 2nd NIC and configure it to accept that as input (WAN side). This is easily done with a cheap Linux box.

    Basically you've turned the PC into a router that will passthru all traffic for your IP, but will sniff all traffic on your ISP's local subnet. The configuration looks like this:

    internet<--->cable modem<--->1st NIC in (Router PC) 2nd NIC out <---> Internal Router<--->other PC's you own

    Now you will only see traffic on your ISP's local subnet for your loop. That may be anywhere from 1 to several thousand PC's. Be aware that it *is* possible for them to detect you, or any passive sniffer. Also many ISPs are isolating by creating small subnets to minimize home sniffers.

  6. #6
    Member
    Join Date
    Apr 2003
    Posts
    95
    thanks for clearing that up

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    well done Daremo,

    By some means you must be on the same network! How you get there determines how long you and the jailer have a relationship.

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    To clear things up a bit more... it depends on how the segment is setup.

    Example:

    PCs into a hub, you can sniff everything, because the hub is more of a "multiport repeater" and will forward all traffic, regardless of the MAC address.

    PCs into an unmanaged switch, you can only sniff traffic that is directed towards your PC.
    These switches will only forward traffic destined for your MAC address.
    You can "force" it to act more like a hub by arp spoofing/flooding. Effectively turning the switch into a hub. Look into something like "dsniff" or "ettercap" for this.

    PCs into a managed switch, you can configure a port to mirror other ports, so it'd act like a switch on every port except for the ports you configure to forward all traffic to.

    Any device your traffic goes through... routers, proxy servers, etc. can have a sniffer installed on it. meaning, they can capture some or all of your traffic through that specific device. An example of this would be something like carnivore which is basically just a machine whos purpose is nothing but grabbing a copy of your traffic (if you are under investigation... of course) I don't know much about carnivore other than that... Another example would be a honeypot/honeynet.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •