packet sniffing remote computer

[hellforgedangel]

Just been playing about with a packet sniffer (Ethereal) andim amazed by the things it pulls up. I was wondering if its possible to packet sniff a remote computer. I know you could have a computer in promocius(spelling?) mode on a LAN but could a Cracker sniff packets from my computer over the internet? lol doing this has really made me relise the importance of encryption

[SirDice]

You could try to use an ssh tunnel.

Something like

# ssh some.host tcpdump -w -F - | tcpdump -r -F -

Please note that if you have just 1 nic on the remote host you will also sniff your own ssh session

[hellforgedangel]

aha thx SirDice i will try that

[R0n1n]

As far as I am aware the answer is no, you cannot do that unless you can get on the connection before it leaves the external router, as once it does that then who knows where it will go. So to sniff traffic coming from someone somewhere else either take over their computer, or a network device that they go through, otherwise it won`t work.

[Daremo]

Absolutely correct, you cannot sniff a remote machine because you can´t see the traffic because by default routers break the broadcast domains. So you can only see the traffic on your side of a router.

Now if you have a DSL or Cable connection and DHCP with only 1 IP address from your ISP how can you sniff the, for want of a better term, local subnet from your ISP?

Do this (assuming you have a 2nd router of your own doing NAT so you can have several PC's sharing your single IP):

You must place the sniffer just behind of the cable modem/DSL router to see traffic there. In order to do this you must set up a PC with two NIC's and configure it to accept traffic from the cable modem/DSL router on the 1st NIC. Then sniff all traffic and pass thru all ports to the 2nd NIC. Then connect your internal router to the 2nd NIC and configure it to accept that as input (WAN side). This is easily done with a cheap Linux box.

Basically you've turned the PC into a router that will passthru all traffic for your IP, but will sniff all traffic on your ISP's local subnet. The configuration looks like this:

internet<--->cable modem<--->1st NIC in (Router PC) 2nd NIC out <---> Internal Router<--->other PC's you own

Now you will only see traffic on your ISP's local subnet for your loop. That may be anywhere from 1 to several thousand PC's. Be aware that it *is* possible for them to detect you, or any passive sniffer. Also many ISPs are isolating by creating small subnets to minimize home sniffers.

[hellforgedangel]

thanks for clearing that up

[Relyt]

well done Daremo,

By some means you must be on the same network! How you get there determines how long you and the jailer have a relationship.

[phishphreek]

To clear things up a bit more... it depends on how the segment is setup.

Example:

PCs into a hub, you can sniff everything, because the hub is more of a "multiport repeater" and will forward all traffic, regardless of the MAC address.

PCs into an unmanaged switch, you can only sniff traffic that is directed towards your PC.
These switches will only forward traffic destined for your MAC address.
You can "force" it to act more like a hub by arp spoofing/flooding. Effectively turning the switch into a hub. Look into something like "dsniff" or "ettercap" for this.

PCs into a managed switch, you can configure a port to mirror other ports, so it'd act like a switch on every port except for the ports you configure to forward all traffic to.

Any device your traffic goes through... routers, proxy servers, etc. can have a sniffer installed on it. meaning, they can capture some or all of your traffic through that specific device. An example of this would be something like carnivore which is basically just a machine whos purpose is nothing but grabbing a copy of your traffic (if you are under investigation... of course) I don't know much about carnivore other than that... Another example would be a honeypot/honeynet.