Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Sniffing through firewall

  1. #1
    sunday11a
    Guest

    Sniffing through firewall

    I have a software firewall running, and i cannot sniff any traffic if the firewall is running. Is there any way out as such i can have the firewall as well as have the sniffing done. I am using ethereal on a win2k pc

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The firewall is blocking the packets from getting in to you. You need to place yourself in the DMZ to see the packets... But you need to make sure you are fully patched before you do that for obvious reasons.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    What Tiger is saying is, that with your software firewall running you can not capture the packets you want to, this is because the firewall will block them. If you put your pc in the DMZ you will not have the protection of the firewall (de-militarised-zone). So make sure windows is patched right up to the latest update.

    If you would like to look at a safer way to do, what it would seem that you want to do. Look into useing a live OS, like knoppix SDT. These Os's have tools like ethereal built into them. So you can run the OS from your cd drive capture packets and analize without the worry of getting a compromised box. A live OS by the way is a operating system that runs from a bootable cd. Just pop it in the cd tray and boot to it. It will load as a proper OS but leave your installed OS alone.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Sunday,
    I also have ethereal and a firewall (Outpost Pro). I just placed the ethereal executable in the trusted programs list and changed the firewall settings to allow for most ICMP traffic. It works fine to date. I don't know what firewall you use, so I can't determine if you have the flexibility to alter your traffic like Outpost Pro does.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    sunday11a
    Guest
    I am using Zonealarm Os-- win2k pro and the program is in the trusted list . Obviously the firewall is made to block all traffic except which i want to see. What i m looking for is, is it possible that ethreal runs first and captures all the data, and then the data gets to the firewall which then either permits or blocks the packet.
    Any method of doing such thing with even any other firewall. I donot wish to allow icmp traffic through my firewall.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You will have to shut down ZoneAlarm to allow Ethereal to see the packets. Putting Ethereal on the trusted apps list doesn't work because the firewall has no way of knowing that you wish to associate any incoming packet from the outside with Ethereal on the inside. ZoneAlarm has no clue what Ethereal does, it simply knows that you trust it to do whatever it does.

    The firewall's job is to associate packets coming from outside with existing connections on the inside, (this is a Stateful firewall as opposed to a Stateless firewall that simply blocks SYN connections from the outside but may well let a SYN/ACK packet in if it is the first packet encountered in the stream). ZoneAlarm has no record of any communication from your computer to any of the inbound packets so it drops them. If you could run an arbitrary program ahead of the firewall then the firewall would be of little use and could be easily subverted.

    Stateful firewalls often cause problems with scanners too. If you run certain scans with NMap through a firewall the connections NMap tries to make are not the typical SYN from the three way handshake so the stateful firewall does not see the packet as creating a connection. Thus when the returning packet comes back the firewall drops it as not being part of an existing connection which skews your results.

    It's always best to run any utility that sniffs raw data off the wire without using a firewall.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    sunday11a,

    Good Day,

    I don’t believe you specified what you were attempting to sniff, so here’s a tid-bit if you weren’t already aware.

    In addition to the issues with the firewall, the sniffer will most likely not return any packets from another network unless it is placed in the path that the data is traveling. Meaning, you will not be able to capture packets beyond your own network segment (or beyond switches, other routers etc.), specifically, outside of your own collision domain due to network segmenting. (i.e. if the sniffer is deployed on your network, you could not capture data on mine.) I hope

    cheers
    Connection refused, try again later.

  8. #8
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Tiger Shark,
    You make an excellent point and at the same time, confuse me
    If I currently have my firewall set to allow Ethereal to do whatever it wants, there's still the problem of missing packets based on stateful inspection? Basically, the way my Ethereal runs now, I use it to capture traffic while I'm surfing around. It doesn't seem to drop any packets (I check my firewall 'blocked connections' log and it isn't blocking any traffic while I'm capturing packets). Now, is it capturing that information because the connection was initiated by the localhost? I'm still learning the basics to sniffing, so please forgive my ignorance on the matter.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  9. #9
    sunday11a
    Guest
    I am aware that putting the application on the trusted list wont allow for it to see all traffic. And what i am looking for is any way or any firewall which has options to set which application sees all raw data.
    I am quite aware Relyt that where i can capture any packets and where not.
    Tiger Shark what i am looking for is that the firewall keeps on running and still i can capture all data.
    Is there any way out or the only solution is to either run sniffer or firewall
    Thanks

  10. #10
    sunday11a
    Guest
    Sorry if my bumping up the thread upsets someone
    I just was not able to be with my query for some reasons and
    I still have not found the way out os i thought maybe someone got any idea and could provide the solution
    Let me rephrase the question again
    I am running a firewall and the i have only one system of my own connected to a shared neighboured LAN (which has switches)
    What i want is that i m able to read all the packets coming in to my system through a sniffer (say ethereal) LIVE REAL TIME. Yes a firewall keeps a log of all the packets received but that can only be viewed later not live(real time).
    For those who might think i am into some mischief i only want to do this so that i am able to get understanding of traffic and why i also want a firewall is to prevent my system

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •