Hi,
How can i make my NIC into monitor mode? so that i can sniff the network packets.
Printable View
Hi,
How can i make my NIC into monitor mode? so that i can sniff the network packets.
I think there term you are looking for is “Promiscuous mode” (unless you are talking Wi-Fi, in which RF monitoring mode means looking at the raw radio signals). Just about any sniffer should do it for you, I use Ethereal (http://www.ethereal.com/ ) and Ettercap (http://ettercap.sourceforge.net/).
While Irongeek is right I seem to remember you are a windows type so you will need WinPCap drivers.... Google WinPCap and it will be right there.
Good point, here is a link where you can get WinPCap from: http://winpcap.polito.it/
You might also want to look into using Cain: http://www.oxid.it/cain.html
my suitable is that i have a router before me.. can i see those packet that is not for mi? or i just plug my pc directly to the modem? i have try ethereal.. cant see packets for others..Quote:
Originally posted here by Irongeek
I think there term you are looking for is “Promiscuous mode” (unless you are talking Wi-Fi, in which RF monitoring mode means looking at the raw radio signals). Just about any sniffer should do it for you, I use Ethereal (http://www.ethereal.com/ ) and Ettercap (http://ettercap.sourceforge.net/).
You'll never see packets that aren't in you collision zone.... You will only see packets that "pass by" your NIC....
As a quick answer, if you want to see the packets on you cable modem's segment you will have to connect your box with the sniffer directly to the modem.
how about in a wireless network? can i see other's packets too?Quote:
Originally posted here by Irongeek
As a quick answer, if you want to see the packets on you cable modem's segment you will have to connect your box with the sniffer directly to the modem.
Expalin in detail what you are trying to do. You can use sniffers with Wi-Fi cards, but I though you wanted to sniff what was hitting your cable modem which is not going to work with a wi-fi card.
Penguin:
This is all really rather simple.... You have to be in the same collision zone as the packets you want to see are. Think of it like this:-
Bill has two ways to travel to work, Route 1 and Route 2. If you want to know which days Bill goes to work you have to watch one of the two routes, (you can't be in both places). So you pick route 1 and sit there every morning. If Bill goes along route 1 then you will see him, (you are in his collision zone), but if he takes route 2 you won't, (you are not in his collision zone).
You cannot see packets routed through collision zones that you do not have a sniffer on otherwise I could sniff packets from your computer to AO if I wanted. If I can get my sniffer onto the route between you and AO then I can because I have entered the same collision zone that you packets pass through....
Hoping that's clearer than mud..... ;)
ok maybe i shd explain in detail..
i am trying to sniff using my NIC.. initially i have a router in front of mi.. i sniffed nothing.. i also tried what u say.. putting the router aside and connect my modem to my PC directly.. but i onli sniffed ARP stuff.. if i wanna go further.. i can use nmap to test every single ip address.. but i just wanna sniff like a dog.. so is there any other ways to sniff.. btw i am using ethereal 0.9.. don tel mi a later version one can do what i wanna do..
ok based on the earlier.. i was thinking of siniffing a wireless traffic.. i just bought a DWL-G520+ card and installed into my XP box.. i have seen web sites like using Prism2 chipset card.. i don even know what is the chipset of my wi-fi card.. so how do i go about sniffing?
You sniff with a wi-fi card the same way you do with a regular ethernet card. As for the cable modem sniffing, maybe arp packets are the only traffic going on, the modem has some filtering abilitys or it's just not hooked up right.
OK... On your cable/DSL you are removed from the collision zone of the other users by the modem itself which is why you only see broadcast traffic. You would have to get outside your modem to be able to sniff anything that isn't for your computer.
The wireless card may or may not work to sniff depending upon whether it can be placed in promiscuous mode _and_ depending on whether there are others on the same WAP as you or have an ad-hoc network running between you and them. You need to research your card to discover whether it can even be placed into promiscuous mode. If it can't then forget it.
According to a quick search on google your Wi-fi card uses the Atheros chipset.
Which is compatible with Netstumbler and all the other sniffing tools out there IIRC.Quote:
According to a quick search on google your Wi-fi card uses the Atheros chipset.
Are you sure that's completly true? I seem to recall hooking my laptop us straight to the modem and being able to see other traffic.Quote:
Originally posted here by Tiger Shark
OK... On your cable/DSL you are removed from the collision zone of the other users by the modem itself which is why you only see broadcast traffic. You would have to get outside your modem to be able to sniff anything that isn't for your computer.
Iron: I have had several modems and all but the very first couple filter the traffic inbound. Also, are you sure the traffic wasn't destined for you from local machines..... You will pick up a lot of crap if you have skiddies in the neighborhood or if there is a major worm on the prowl.
Then again, I havn't tried sniffing my local subnet for a year or two... maybe something changed but it would have been a retro step which doesn't seem logical. I also read somewhere ages ago about how you could get onto certain modems and remove the filter but, just like uncapping your bandwidth, your ISP can detect it and will cut you off.....
I'll have to try again tonight. The data I remeber was not to or from my home LAN.
Kewl.... You can sniff the photos that hottie down the street is sending to her boyfriend.... ;)Quote:
I'll have to try again tonight. The data I remeber was not to or from my home LAN.
I'm not 100% certain about this because it is a long time since I did it last but IIRC, I couldn't see anything except broadcast traffic on Comcast Cable. I have a hub outside my firewall that is there simply so that I can sniff packets that the firewall is dropping if I want to. I do remember years ago that I was able to see all the traffic but I believe they changed that a couple or more years ago..... Maybe it's just a localized thing.... I'll try it again when I get home.
I'm on Insight Cable, so they may not have the same policies.
another thing i wanna ask is whether is need to 'open' up my wireless card in order to see others' packet? or just buy a prism chipset card then install ethereal and that it.. i can see others' network packets..
I'd just get a chepie Prism card and not worry about it. There are not the best, but good enough and just about everything seems to support them. About a year ago I got two from Tiger direct for about $10 each, there were Speedstream brand with a Prism chipset. Check out what cards you can get cheap by using Froogle, Pricewatch and Newegg then do a Google search to find out what chipset they have and how well supported they are.
OK Iron....
Comcast Cable, or at least, Comcast with the modem I currently have filters traffic not for me at the modem. I ran for about 5 minutes and I saw packets for my IP from "the world", broadcast packets from within the Comcast network and a lot of UDP traffic on the 10.0.0.0 network much of it being from what I guess is an "is it still there" broadcast from my cable modem, (I know the modems are on the 10.0.0.0 subnet).
Did you try yours yet?
Damn, I went for a beer (cider in my case) after work and forgot about it. I'll attempt to remeber to try it soon and let you know.
I did the test today. After doing some further checking, it would seem you are correct Tiger Shark. Even if I was able to sniff my cable segment before (which I’m not sure I could) I can’t now. All the traffic I see is either ARP broadcasts, stuff I’m sending or traffic meant for me. I admit I was mistaken.
Hey, NP.... I could sniff everyone 5 or 6 years ago if I wanted..... I guess they wised up to it and changed the modems.