Packet sniffing.

[noODle]

A packet sniffer is a wiretap that eavesdrops network traffic.

Now as you have read in the TCP tutorial packets travel through the internet individualy. They contain lots of info. Once it hits the wires it is mere pulses. Most packet sniffers work at the ethernetnet level of the network.
Ethernet defines the way the data gets transmitted and sniffers catch this.
Ethernet actually uses sublayers to transmit data.
The physical takes care of the wires.
The logical retransmits data if neccesary.
The MAC is responsible for the formating of the data once it hits the wires.
Now you have probably heard the term MAC before but what exactly is it?
MAC stands for Media Acces Control. Your ethernet adapter has an ethernet (mac) address.
In windows you can check this by typing 'winipcfg' from a run box and choosing the appropriate network adapter (ipconfig /all for NT). This adress is a 48 bit number, displayed in Hex. The number is divided into two sections and should provide a unique adress for every network adapter.
The first halve identifies the manufacturer of the NIC and the second provides a serial number.
Now once an ethernet packet enters the wires it contains the following data:
Source MAC
Destination MAC
:HEX code:
IP packet
CRC

Explanation follows:

Simple.

The source and destination MAC should be clear.
The HEX code contains hexidecimal values so that the recieving computer knows what to do with it.

/*note: ethernet works with different protocols like netbeui and ipx/spx
The IP packet is the incapsulated "".
CRC, Webopedia says this:
Abbreviation of cyclic redundancy check, a common technique for detecting data transmission errors.

More.

TCP/IP decides, after negotiation, how to transmit data and then turns packets over to ethernet. Ethernet puts the right wrappings around it and sends it to the next destination. Once a packet hits the next destination, ethernet deciphers it and hands over control to the appropriate protocol. It might be forwarded, the protocol decides.
The Adres Resolution Protocol which is defined in: (rfc's are available from rfc-editor.org) might be worth checking out.
Typing arp -a from a command prompt gives you some information too.

So once a packet hits the ethernet wires it looks like this:
[ethernet[ip[tcp]]].
Packets vary in size. Sniffing on complete packets would not be a logic thing to do.
There are various reason you would like to sniff the network:
- Intrusion detection
- Network fault analysis
- Spying on conversation
- Stealing passwords
- Curiosity
Now normally when your box recieves a packet that should be forwarded that is the only thing done. A sniffer will capture data for analysis and send it through to the destination anyway. That makes it hard to detect sniffer attacks. A good placed sniffer can collect tons of valuable information. You could for example use a sniffer to find out what data you transmit to MS when you use update.
Now any good sniffer will decode the packets it filters for you and give you somewhat readable text. It will help you a great deal if you know your way around the various numbersystems as well as ascii.

To use a sniffer to attack somebody you will have to break in on the conversation somewhere.
That means either the victim or the victims ISP's computer.
Setting up an ICMP redirect could also do the trick.

Different protocols send passwords in clear text over the wires. These include:
Ftp
Telnet/rlogin
Http
POP.

Now to get you started you could get Windump which is the Windows porting off the popular Unix based Tcpdump.
Windump is available from http://windump.polito.it
It comes as source code distribution as well as binary.
Read the online manual for the parameters.
For a quick start 'windump -D (gives you available adapters)
windump -i 1 (starts windump with the first listed adapter)

Now after you capture packets you will have to use some sort of protocol analyzer to decode it.
Some sniffers include these where others do not.



Here come some sources where you can obtain packet-sniffers (msdos/windows):

ethereal: http://www.ethereal.com/
etherpeek: http://www.wildpackets.com/
gobbler: http://nmrc.org/files/msdos/gobbler.zip
ethload: ftp://ftp.simtel.net/pub/simtelnet/m...n/ethld200.izp

(linux):
tcpdump: http://www.tcpdump.org/
LinSniff: http://packetstorm.securify.com/

There are lots more but this will get you going.

Recommended reading:

RFC's
TCP illustrated.
OSI referance.
sniffing-faq.html

That concludes it.
Note that this was written to give a primer on the workings off packetsniffing.
I do not encourage illegal activity nor take responsibility for actions taken after reading this text.


noODle

[MrLinus]

Hey noOdle, have you played with Ettercap yet? That's an evil sniffer.

And to anyone that uses it, I strongly recommend to NOT use it on your ISP, school, etc. This is one of those "guaranteed-to-get-you-in-jail-things".

[noODle]

I have not used it yet. Thanks for pointing me to it.
I read some about it the otherday on AO.

I will definitly try it, without getting into trouble ofcourse.

[thehorse13]

Ethereal and NAI's Sniffer pro are both nice packet sniffers. Ethereal is a GUI based sniffer that uses TCPDump commands. Sniffer Pro is a boku dolares sniffer (about 25k if memory serves) but quite nice.

Ettercap, as pointed out, is *most* impressive too. I have used it to do network discovery and mapping and it does a nice job of it. The sourceforge folks have some great GNU software.

My two cents...
--TH13

[sweet_angel]

Originally posted here by MsMittens
Hey noOdle, have you played with Ettercap yet? That's an evil sniffer.

And to anyone that uses it, I strongly recommend to NOT use it on your ISP, school, etc. This is one of those "guaranteed-to-get-you-in-jail-things".

Uppppssy...I've been playing around with ettercap on my FreeBSD laptop (about 1 month now). Yes I know it's very interesting waching connections,etc

Thanks for that "scary notice" Ms Mitten ..I didn't realised I can go to jail!(wow that's not fun at all.. ) I am going to "deinstal that cool toy" right now.

Cheerrs

[phoenixBIT]

msmittens would you kindly help on installing the ettercap

[MrLinus]

Wow. This is an old thread.. Phoenix: what are you installing on?

[e0s]

Hello, I am new, bringing the post back from the dead if it's alright, rather than make a new one..I've got Ettercap running on one machine in my LAN lab. Basically the lan is 2 hosts connected to a switch which is connected to a router that can go to another network. When I use the command sudo ettercap -i eth0 -T -M ARP /10.0.0.1/ /10.0.0.7/ .1 being the default gateway and .7 being the other machine on the lan. When running the command I am only getting these packets: UDP 10.0.0.1:520 --> 255.255.255.255:520 looks like some kind of layer 3 broadcast address from the dg..wondering what I need to do to get this working as I am new...I've tried dumping the arp cache on both router and host and still nothing...thanks for the help...and shoutout to irongeek for the tut

[e0s]

bump

[bludgeon]

msmittens would you kindly help on installing the ettercap

Is she even around anymore?