Windump Syntax

[rumpletumbler]

I'm trying to learn Windump and have it running fine on my machine but I want to be able to get data from my wifes machine in the other room. I'm running Windows ME. According to everything I've read I should be able to either access it from the LAN or from the internet. Maybe I've not understood correctly here. Can someone tell me how to do this? I've searched for hours and tried everyting I know (what ain't much) and had no success. Thanks for any help in advance.

[Relyt]

rumpletumbler,

Here's a real good site with all the examples and switches that are applicable, your request is near the center of the page. But you will need to review all the options as well:

http://windump.polito.it/docs/manual.htm

cheers

edit: Thanks Soda for the edification, I thought about that after my post.

[Soda_Popinsky]

I'm assuming that Windump is a sniffer like tcpdump or ethereal.

I hope that you can't sniff your network traffic from the internet. That would be baaaad.

If your network is on a switch, then you shouldn't be able to sniff traffic that belongs to other boxes. A hub would allow you to sniff all traffic that passes through the hub. You can sniff on the switch with ARP poisoning, I think ettercap is something you want. But you should be able to configure the router to allow you to sniff?

[rumpletumbler]

I'm just really dumb on tcp/ip I guess because I can't find it.

If I just normally do windump -i1 -s1500 -n -w output

why can't I just change the adapter to the ip address of her machine?

[Soda_Popinsky]

Because your computer is not receiving the packets in the first place. The purpose of a sniffer is to capture the packets your NIC handles. You are on a switched network. You're router is smart, so it won't send you packets that don't belong to you. You will only recieve packets that belong to you. A hub, however, is dumb. It will send everybody's packets everywhere on the network. A switch is secure, a hub is not. That switch is a security roadblock that prevents you from listening to other traffic on the network.

In order to listen to those packets, you either need to poison the ARP cache in the switch (malicous), or configure the thing to send you everyone's traffic.

[rumpletumbler]

Wouldn't putting my IP in the DMZ work?

[Tiger Shark]

First of all ARP poisoning is't quite as simple as just poisoning the ARP cache on the switch. You also need a way to forward all the misdirected responses back to the victims box or the conversation will be closed in just the same way it would be if you disconnected the cable modem.... The victims machine will assume that the destination is unreachable.

Not sure if DMZing the box would have the desired effect. It might but you also run the risk of having your box compromised while it swings out there in the breeze.

Lastly, what did wifey do that requires you to spy on her? It might be better just to sit her down for the old "WTF is going on" conversation rather than compound the issues by eventually having to point out that you spied on her......

Just a thought....

[rumpletumbler]

She didn't do anything. Its just a machine that I can use to learn on.

[Tiger Shark]

My personal preference for packet dumps is Ethereal.... It's a great tool..... Google brings it up at the top of the list. Don't forget that you will need WinPCap - I recommend 3.0 or 3.0.1(?), there have been issues with some of the later version IIRC.

Yu still have the issue of being able to see the packets on your network. It sounds like you have a linksys type router which acts like a switch. The DMZ trick _might_ work but you may only see the returning packets since I don't think the outgoing will be forwarded to the DMZ machine. If you try it then report back your findings, I'd be interested to know for myself.

Other than that you are going to need a hub or get real fancy with an ARP attack.