-
Tiger shark was describing sniffing a session between, your computer and a server. Since in all comunications your computer will be either the source or the destination of the packets in question they will pass through your network card and you will be able to sniff them even if you are attached to a switch.
If you were attached to hub you would be able to sniff everyone elses packets as well as your own (although this may need some extra configuraiton?). Doing this would likely upset the network admins.
It sounds like you may need to play with the sniffer setting a bit.
-
Waverebel: Close, but no cigar...... ;)
The scenario I described can be done with any communication that is directed to my segment of the network. In this case the segment contains my workstation, a hub so I can see all traffic on the segment, an internal router and my firewall to the world and id the last segment before the traffic goes out into the big wide world. Thus, any traffic entering or leaving my network can be sniffed by my workstation. Therefore, any traffic to and from publicly available servers such as mail, HTTP etc. can be seen and sniffed by my machine.
Anjali: As noted by others the switch would be a big issue. Also, did you apply any filters? You would know if you did because all the traffic you did capture would have something in common like the source IP or a port number. You really need to be on an appropriately placed hub for a sniffer to be of much use.
-
anjali:
Here comes the solution to sniff main flows with a single sniffer (or evntually NIDS) in a switched environment.
Most switches offer port mirroring (CISCO calls taht spans I learn it from yesterday...).
Plugging a sniffer to a mirroring port allows you to sniff all frames forwarded on the mirrored one.
-If the mirrored port is owned by a single user u'll be able to monitor only its current sessions.
- If the mirrored port is owned by a router u'll be able to monitor all inter vlan flows(but not intra vlan excepted for multicast and broadcast frames). I assume that ur network have a dedicated VLAN for servers (DMZ, Server clusters, server farms, ...), in that case intra VLAN flows are very few, and the sniffer will monitor most network activities.
-
If you want to learn about session hijacking, I elaborated quite a bit on the subject, and the tutorial is still relevant now.
http://www.antionline.com/showthread...hreadid=232029
-
sniffer
Well...i am new ini this conversation and i need to know that how to put a sniffer in premecious mode...like all i can do is running the sniffer on ma pc.....would it be workin...or i need to make it listen o any typical ports n if yes..how sou;d i do that ..i hope that i llget ma problem solved
thanx
Ommy
-
ohhhh... So one thing clear......
Sniffers are very effective in a Hub scenario....
But places where u have switches.. it is a good option to go for some free IDS (like SNORT)...
But again Can i configure SNORT on win2k without using perl... incase yes.... I read that u need to update the signature files individually.... How true is that...
Also how to configure the Sniffer in promiscus mode.... I understand asigning it 0.0 but how....
..Do we have any free sniffers who work fine in win environment.....
Regards
Kalp
-
Hi anjali, i have the following for you
1. See my tutorial on analyzing traffic with tcpdump/windump. In next tutorial i will explain
the whole lot.
2. Mean while If you wish to have fun try the follwing
(a) If you are using windows try smbrelay, It views the netbios connections.....hmm etc
etc
(b) Try hunt and juggernaut in linux
3. Find the listed gems in www.packetstormsecurity.nl
See ya
-
Well...I asked something ..did somebody listened...
-
ommy: A packet sniffer either comes with it's own system for putting the NIC in promiscuous mode or, (like most seem to do), the require libpcap for *nix boxes and winpcap for Windows boxes. You install this first and the sniffer will call it when it is initiated.
Once in promiscuous mode the NIC does not drop all packets not directed at it's MAC address which is it's normal behaviour but rather collects them all and passes them back to your sniffer for processing. The sniffer will process all packets for all ports for all IP addresses that transmit and can be seen by the sniffing machine. You can tell the sniffer to filter the traffic if you like. So you may chose to only capture all traffic from your home net that is destined for SMTP servers for example. This makes reading and interpreting the output a whole lot easier......
If your sniffer is on a switched network you have two choices, span the ports on the switch to send all traffic to your sniffer boxes port or put a hub in place somewhere where all the traffic you want to capture can be seen. In order to properly monitor a subnet in an environment that contains any switches you need to have an intimate knowledge of the architecture to be able to properly place your sniffer and for it to be most effective. There are tools out there that will what's called ARP flood a switch. If this is done successfully the switched "routing table" is corrupted with multiple IP addresses for the same MAC address. Most switched will recognize this and fail into "hub" mode thuis all the traffic passing through it can be seen by all the machines attached to it.
WARNING: If you are not authorized by the system admin and you begin sniffing his traffic expect him to have a big problem with you. If you are not authorized by the system admin to ARP flood his switch(es) he will probably tear you limb from limb.... I would!!!!
NOTE: Sniffing the traffic on a network is really rather easy. Determining what it is telling you is a tad more difficult. You need to understand well, tcp/ip etc. to be able to make much sense of it. Read a good TCP/IP primer.... Google will help you find it.
-
GEE....Thanx Tiger Shark...I ll be obliged
