Sniffing

Hi all. I am looking for a way to log all the data (binary) that enters and leaves my computer. I understand that the usual way to do this is through a sniffer. However I am on a university network and they are quite strict about catching folks with stuff like that - we had a few people kicked out last year. What I want is something that can only detect the data intended for my computer and originating from my computer. It then won't be possible for them to accuse me of trying to listen in on anyone elses stuff. Does anyone know anything that would do this?

Cheers!

Hi all. I am looking for a way to log all the data (binary) that enters and leaves my computer. I understand that the usual way to do this is through a sniffer. However I am on a university network and they are quite strict about catching folks with stuff like that - we had a few people kicked out last year. What I want is something that can only detect the data intended for my computer and originating from my computer. It then won't be possible for them to accuse me of trying to listen in on anyone elses stuff. Does anyone know anything that would do this?

Cheers!

binary data? hmmm.... I wasn't aware that packets were binary. Silly me. And I don't think there is a way to do what you want.

Aren't they binary? ASCII perhaps? I don't know. I was just guessing. Thanks for your reply anyway.

Well, do you mean all NETWORK traffic in and out? If so, you should use a packet sniffer. The problem is that these tools can be easily 'misused' to nefarious ends. I think the best thing you can do is find some tech-teacher or system administrator who you know and can get along with (or, failing that, whoever is in charge) and ask them if you can use one so long as it only logs your own computer traffic.

The problem is that on some networks you can detect what is being sent to other computers, by putting your network-card into 'promiscuous' mode, and many of the tools out there, like Ethereal can be easily misused.

If you just want to see WHO your computer talks to, and what on your computer talks to it, it is a lot easier. If you want to actually have the Raw data (Usually Ascii when you make it look nice), it's a bit less easy to do that in a non-network-admin-threatening-way.

Thanks Terr, it is really the former that I was wanting to do, but I would also be interested in how you would know what is communicating with what. Can you tell me a bit about that? Thanks.

OK.. here we go witha little lesson on sniffing:
A) It's not detectable from a remote network source (by any method that I have heard of) This is because the packets are never modified only looked at. So, unless you're on the local machine, or, you put this sniffer on a machine that someone can find the running pid, then you're OK.
B) As for logging the binary data? Sure you can, why you would is beyond me because of the fact that every packet that is read by your sniffer is going to be a the form of a "packet frame". A "bundle" with a specific format that it's wrapped in to be sent across the network. Logging this raw data will corrupt the binary. It's the job of the TCP/IP or whatever network stack to correctly maintain the binary data structure.
You could log plaintext information form your sniffer, but then, that would just be unethical.

Hi dudez,

I'm not sure wether a sysop could effectively trace someone who's sniffing, but I'm quite sure that @stake laboratories have a tool called AntiSniff, which should detect any NIC in promiscous mode. Since I'm not sure, replies are allways welcome.

Grtz,

AtHome itself is a violation of privacy anyway. If you would read your TOS, they explicitly say that they can basically use your system for whatever they want.

So, them having devised a network of machines that run security scan "authorized-scan*.home.com" is not put passed them.

As for them to be able to detect a sniffer, possible, but not likely for them to be able to use it on such a widespread network.

They would have to have some serious access to your system to be able to detect your NIC in promisc, if I'm not mistaken.
This isn't something that you're able to send packets at and detect because it's a read only thing. Maybe I'm wrong..

Thanks guys, just a few more questions. What is a "running pid" Jason? And how would I know if someone could find it?

Just to clarify, it would be the data extracted from the packets I would want. For example for a Web page request I would want to see the HTTP but not the TCP/IP.

Unless you write a program that would extract the information from the packets.. you're pretty much only going to be able to look at it.
Any sort of modification to the packet will corrupt it and the TCP/IP stack will deny it when it gets to the destination.

PID is "Process IDentification". It's the unique number associated with a running process.

I don't know what OS you run, but, I've written a crude Linux packet sniffer if you would like to browse over it. It will dump RAW socket data from the specified network interface. Even works with PPPd ;-)

I'll post it on http://www.o-negative.net as soon as I recover from recent Vuln-Dev mailing list crap.

maybe I missed something.........But why do you wanna take the chance of getting kicked out for.......I think I'm having a brain fart, But what is this for?

Quote:

---

Originally posted by jparker
OK.. here we go witha little lesson on sniffing:
A) It's not detectable from a remote network source (by any method that I have heard of) This is because the packets are never modified only looked at. So, unless you're on the local machine, or, you put this sniffer on a machine that someone can find the running pid, then you're OK.
B) As for logging the binary data? Sure you can, why you would is beyond me because of the fact that every packet that is read by your sniffer is going to be a the form of a "packet frame". A "bundle" with a specific format that it's wrapped in to be sent across the network. Logging this raw data will corrupt the binary. It's the job of the TCP/IP or whatever network stack to correctly maintain the binary data structure.
You could log plaintext information form your sniffer, but then, that would just be unethical.

---

You can get caugth by a computer on the same lan as you. Just imagine that you send a forged ethernet packet with random MAC address, your IP address and ICMP echo-request.

If your card is set to promiscuous, it will let that packet (with a not-matching MAC address) go further, will see that IP is correct and then respond to the ICMP ping : your computer just said to the other side "Ok guy, I'm in promiscuous mode", which is frequently associated with sniffing.

Remember that you can put tcpdump into a non-promiscuous mode. man tcpdump for more details.

Jean-Francois

A running pid is a *nix device to see <an id more so> what processes are working on a system. It's like hitting cntrl alt del in windows and seeing whats running only on a more efficent scale. I think it stands for process ID but I could be wrong.