Packet Capture

Printable View

April 25th, 2005, 12:46 AM
wildred

Packet Capture

I have been puzzled over the past few days as to why Caine/Abel can see packets from another IP (.0.2) on my same network, yet when running a packet capture tool (Ethereal etc) I can not see the .0.2 address at all. The only thing I can think of is that Cain does some ARP poisoning. I would like to capture the packets from the 0.2 machine and recreate them (to an extent). Any suggestions? The machine that I ran the capture tools on is a laptop connected wirelessly to the router. I tried both wired and wireless and they both fail to show any captured packets. Thanks

OS -XP Pro SP2 (laptop)
OS of desktop -XP Home SP2
Both have the firewall off.
Router is a Netgear wireless 802.11b
April 25th, 2005, 02:53 AM
yuris

I think your post is against the Antionline rules.
But anyway, make sure that your network card is in promiscuous mode, and i belive that ethereal have a rule like "<from ip > <to ip>".
April 25th, 2005, 03:12 AM
wildred

To my knowledge it is not against the rules, but if it is, please remove the post and let me know about it. I have yet to see a rule for that so if someone can shed some light on that with Ethereal, that would help. The card automatically gets placed into prom. mode.
April 25th, 2005, 03:13 AM
phishphreek

Cain and Abel does do arp spoofing. Thats why you can see the traffic. If you use ethereal WHILE using Cain and Abel.. then ethereal will see the packets too.

If you are just using Ethereal and not both together... you'll only see the traffic destined to your PC. That is assuming that you are using a switch, and not a hub.

There are other tools that do this too. Look into hunt and ettercap.

Pretty nifty tools to play around with. You can hijack the traffic from one host and redirect it to a nonexisting host. That basically will cause a DoS against the legitimate host. Their traffic basically gets routed to nowhere.. Fun for practicle jokes... or to knock off my roomates PC because he is downloading so many torrents... I can't do anything on the net.

There are quite a few other nice features. Play around. Just do it on your own gear so you don't get into trouble.

http://ettercap.sourceforge.net/

http://www.sns.ias.edu/~jns/security/hunt_README
April 25th, 2005, 03:21 AM
Irongeek

What phishphreek80 is correct. You could also use a tool like ARPToxin with Ethereal as well:

http://www.phrite.net/default.php?page=tools&id=1

give it a shot.

By the way, I see no way in which your post would be against the rules.
April 25th, 2005, 03:26 AM
wildred

AWSOME! See, I knew this was the place to ask :) Yall rock. Bluelight special on greens :)
April 25th, 2005, 11:21 AM
yuris

you can try DSniff, its a great tool