Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Packet sniffing.

  1. #1

    Packet sniffing.

    A packet sniffer is a wiretap that eavesdrops network traffic.

    Now as you have read in the TCP tutorial packets travel through the internet individualy. They contain lots of info. Once it hits the wires it is mere pulses. Most packet sniffers work at the ethernetnet level of the network.
    Ethernet defines the way the data gets transmitted and sniffers catch this.
    Ethernet actually uses sublayers to transmit data.
    The physical takes care of the wires.
    The logical retransmits data if neccesary.
    The MAC is responsible for the formating of the data once it hits the wires.
    Now you have probably heard the term MAC before but what exactly is it?
    MAC stands for Media Acces Control. Your ethernet adapter has an ethernet (mac) address.
    In windows you can check this by typing 'winipcfg' from a run box and choosing the appropriate network adapter (ipconfig /all for NT). This adress is a 48 bit number, displayed in Hex. The number is divided into two sections and should provide a unique adress for every network adapter.
    The first halve identifies the manufacturer of the NIC and the second provides a serial number.
    Now once an ethernet packet enters the wires it contains the following data:
    Source MAC
    Destination MAC
    :HEX code:
    IP packet
    CRC

    Explanation follows:

    Simple.

    The source and destination MAC should be clear.
    The HEX code contains hexidecimal values so that the recieving computer knows what to do with it.

    /*note: ethernet works with different protocols like netbeui and ipx/spx
    The IP packet is the incapsulated "".
    CRC, Webopedia says this:
    Abbreviation of cyclic redundancy check, a common technique for detecting data transmission errors.

    More.

    TCP/IP decides, after negotiation, how to transmit data and then turns packets over to ethernet. Ethernet puts the right wrappings around it and sends it to the next destination. Once a packet hits the next destination, ethernet deciphers it and hands over control to the appropriate protocol. It might be forwarded, the protocol decides.
    The Adres Resolution Protocol which is defined in: (rfc's are available from rfc-editor.org) might be worth checking out.
    Typing arp -a from a command prompt gives you some information too.

    So once a packet hits the ethernet wires it looks like this:
    [ethernet[ip[tcp]]].
    Packets vary in size. Sniffing on complete packets would not be a logic thing to do.
    There are various reason you would like to sniff the network:
    - Intrusion detection
    - Network fault analysis
    - Spying on conversation
    - Stealing passwords
    - Curiosity
    Now normally when your box recieves a packet that should be forwarded that is the only thing done. A sniffer will capture data for analysis and send it through to the destination anyway. That makes it hard to detect sniffer attacks. A good placed sniffer can collect tons of valuable information. You could for example use a sniffer to find out what data you transmit to MS when you use update.
    Now any good sniffer will decode the packets it filters for you and give you somewhat readable text. It will help you a great deal if you know your way around the various numbersystems as well as ascii.

    To use a sniffer to attack somebody you will have to break in on the conversation somewhere.
    That means either the victim or the victims ISP's computer.
    Setting up an ICMP redirect could also do the trick.

    Different protocols send passwords in clear text over the wires. These include:
    Ftp
    Telnet/rlogin
    Http
    POP.

    Now to get you started you could get Windump which is the Windows porting off the popular Unix based Tcpdump.
    Windump is available from http://windump.polito.it
    It comes as source code distribution as well as binary.
    Read the online manual for the parameters.
    For a quick start 'windump -D (gives you available adapters)
    windump -i 1 (starts windump with the first listed adapter)

    Now after you capture packets you will have to use some sort of protocol analyzer to decode it.
    Some sniffers include these where others do not.



    Here come some sources where you can obtain packet-sniffers (msdos/windows):

    ethereal: http://www.ethereal.com/
    etherpeek: http://www.wildpackets.com/
    gobbler: http://nmrc.org/files/msdos/gobbler.zip
    ethload: ftp://ftp.simtel.net/pub/simtelnet/m...n/ethld200.izp

    (linux):
    tcpdump: http://www.tcpdump.org/
    LinSniff: http://packetstorm.securify.com/

    There are lots more but this will get you going.

    Recommended reading:

    RFC's
    TCP illustrated.
    OSI referance.
    sniffing-faq.html

    That concludes it.
    Note that this was written to give a primer on the workings off packetsniffing.
    I do not encourage illegal activity nor take responsibility for actions taken after reading this text.


    noODle

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Hey noOdle, have you played with Ettercap yet? That's an evil sniffer.

    And to anyone that uses it, I strongly recommend to NOT use it on your ISP, school, etc. This is one of those "guaranteed-to-get-you-in-jail-things".
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    I have not used it yet. Thanks for pointing me to it.
    I read some about it the otherday on AO.

    I will definitly try it, without getting into trouble ofcourse.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Ethereal and NAI's Sniffer pro are both nice packet sniffers. Ethereal is a GUI based sniffer that uses TCPDump commands. Sniffer Pro is a boku dolares sniffer (about 25k if memory serves) but quite nice.

    Ettercap, as pointed out, is *most* impressive too. I have used it to do network discovery and mapping and it does a nice job of it. The sourceforge folks have some great GNU software.

    My two cents...
    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    Originally posted here by MsMittens
    Hey noOdle, have you played with Ettercap yet? That's an evil sniffer.

    And to anyone that uses it, I strongly recommend to NOT use it on your ISP, school, etc. This is one of those "guaranteed-to-get-you-in-jail-things".

    Uppppssy...I've been playing around with ettercap on my FreeBSD laptop (about 1 month now). Yes I know it's very interesting waching connections,etc

    Thanks for that "scary notice" Ms Mitten ..I didn't realised I can go to jail!(wow that's not fun at all.. ) I am going to "deinstal that cool toy" right now.

    Cheerrs
    Not an image or image does not exist!
    Not an image or image does not exist!

  6. #6
    Junior Member
    Join Date
    Nov 2005
    Posts
    3
    msmittens would you kindly help on installing the ettercap

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Wow. This is an old thread.. Phoenix: what are you installing on?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Junior Member
    Join Date
    Apr 2011
    Posts
    2
    Hello, I am new, bringing the post back from the dead if it's alright, rather than make a new one..I've got Ettercap running on one machine in my LAN lab. Basically the lan is 2 hosts connected to a switch which is connected to a router that can go to another network. When I use the command sudo ettercap -i eth0 -T -M ARP /10.0.0.1/ /10.0.0.7/ .1 being the default gateway and .7 being the other machine on the lan. When running the command I am only getting these packets: UDP 10.0.0.1:520 --> 255.255.255.255:520 looks like some kind of layer 3 broadcast address from the dg..wondering what I need to do to get this working as I am new...I've tried dumping the arp cache on both router and host and still nothing...thanks for the help...and shoutout to irongeek for the tut

  9. #9
    Junior Member
    Join Date
    Apr 2011
    Posts
    2
    bump

  10. #10
    Senior Member
    Join Date
    Jul 2002
    Posts
    744
    Quote Originally Posted by phoenixBIT View Post
    msmittens would you kindly help on installing the ettercap
    Is she even around anymore?
    Every now and then, one of you won't annoy me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •