Re: how to sniffer the packages from one computer to another?

From: John T. Hollyoak (john_at_mail.isc.rit.edu)
Date: 09/12/03

  • Next message: Spencer D'oro: "Stop browsing the web through GP?"
    Date: Thu, 11 Sep 2003 18:59:49 -0400
    To: security-basics@securityfocus.com
    
    

    Joe,

    First and foremost, since you are on a win2k platform, I would recommend
    that you go out and get Ethereal http://www.ethereal.com It is a good
    program to use when analyzing packet streams (not packages per your subject
    :P). It's pretty handy filtering out specific streams / protocols /
    sources / destinations ... whatever.

    As an example, I would familiarize myself with TCP and UDP (3-way handshake,
    4-way handshake) etc..etc.. learning all the acknowledgement numbers, and
    how the packets are sequenced and fit together. A simple google search
    yields, this: http://www.dragonmount.net/tutorials/tcpip/part1/index.php.
    Guy does a decent job of writing up the 3-way handshake.

    It just takes practice, and knowledge of what protocols you are trying to
    see/troubleshoot. If you don't understand the TCP protocol down to core,
    looking at the streams of packets of TCP aren't going to make much sense.

    > I would also like to know how to monitor for suspicious traffic?

    For this, I would look into an NIDS or HIDS (network intrusion detection
    system and host). Again google will spit up a plethora of information.

    Hope this helps. Feel free to ask any specific questions.

    John

    ----- Original Message -----
    From: <ja5150@optonline.net>
    To: <jvfields@tds.net>; <blinder@cwazy.co.uk>;
    <security-basics@lists.securityfocus.com>
    Sent: Thursday, September 11, 2003 2:21 PM
    Subject: Re: how to sniffer the packages from one computer to another?

    > I am a Network Administrator and a newbie to using packet sniffers. I am
    > currently using a Network Monitor that came with our Win2k server. I need
    > help anaylzing the data, does anyone know a book or other material that
    > would help me? I've read a few articles on this site on how to use and
    read
    > tcp dump. I am currently working on an issue that I have with an
    > application that is running slower on one of our client pc's.
    >
    > I would also like to know how to monitor for suspicious traffic?
    >
    > Joe
    >
    > Original Message:
    > -----------------
    > From: James Fields jvfields@tds.net
    > Date: Tue, 09 Sep 2003 19:26:14 -0400
    > To: blinder@cwazy.co.uk, security-basics@lists.securityfocus.com
    > Subject: Re: how to sniffer the packages from one computer to another?
    >
    >
    > You want to intercept the "packages" (I hope you mean packets) and alter
    > them before they arrive at the destination computer? Simply sniffing will
    > not do the trick - the point of sniffing is not to divert the packets but
    to
    > capture a copy of them and usually does not involve putting yourself into
    > the path as one of the actual "hops" between devices.
    >
    > There are some methods of doing this - Ettercap and some other programs
    will
    > allow you to actually trick the network into diverting packets to your
    > machine and letting you forward them after you have seen them. However I
    do
    > not know if those tools allow you to alter the packets in any significant
    > way.
    >
    > We often see messages on this list that sound like people are asking for
    > help with actual hacking, although it is frequently the case that people
    > just want to learn more to secure their own networks. I think if you are
    > going to ask a question like this and expect a more in depth answer, it
    > would be a good idea to give us some background regarding your
    > purpose...intentionally diverting and altering network traffic is not
    > something a security engineer would usually be interested in doing.
    >
    > ----- Original Message -----
    > From: <blinder@cwazy.co.uk>
    > To: <security-basics@lists.securityfocus.com>
    > Sent: Friday, September 05, 2003 7:40 PM
    > Subject: how to sniffer the packages from one computer to another?
    >
    >
    > >
    > > hey,everyone ,
    > > may I know if there is a tool that can sinffe the packages from one
    > > computer to anther,
    > > and if I want to change the contents of the packages,
    > > what should I do?
    > >
    > > Thanks !
    > >
    > >
    > >
    > >
    > >
    > >
    >
    > --------------------------------------------------------------------------
    > -
    > > Captus Networks
    > > Are you prepared for the next Sobig & Blaster?
    > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > - Precisely Define and Implement Network Security
    > > - Automatically Control P2P, IM and Spam Traffic
    > > FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    > > http://www.captusnetworks.com/ads/42.htm
    >
    > --------------------------------------------------------------------------
    > --
    > >
    > >
    >
    >
    >
    > --------------------------------------------------------------------------
    -
    > Captus Networks
    > Are you prepared for the next Sobig & Blaster?
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Precisely Define and Implement Network Security
    > - Automatically Control P2P, IM and Spam Traffic
    > FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    > http://www.captusnetworks.com/ads/42.htm
    > --------------------------------------------------------------------------

    --
    >
    >
    > --------------------------------------------------------------------
    > mail2web - Check your email from the web at
    > http://mail2web.com/ .
    >
    >
    >
    > --------------------------------------------------------------------------
    -
    > Captus Networks
    > Are you prepared for the next Sobig & Blaster?
    >  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    >  - Precisely Define and Implement Network Security
    >  - Automatically Control P2P, IM and Spam Traffic
    > FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
    > http://www.captusnetworks.com/ads/42.htm
    > --------------------------------------------------------------------------
    --
    >
    ---------------------------------------------------------------------------
    Captus Networks 
    Are you prepared for the next Sobig & Blaster? 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
     - Precisely Define and Implement Network Security 
     - Automatically Control P2P, IM and Spam Traffic 
    FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------
    

  • Next message: Spencer D'oro: "Stop browsing the web through GP?"

    Relevant Pages

    • Re: [opensuse] SuseFirewall IPv4 vs IPv6
      ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
      (SuSE)
    • Re: how to sniffer the packages from one computer to another?
      ... You want to intercept the "packages" (I hope you mean packets) and alter ... not do the trick - the point of sniffing is not to divert the packets but to ... allow you to actually trick the network into diverting packets to your ...
      (Security-Basics)
    • Re: Ethernet issue: works one way but not another
      ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ...
      (freebsd-questions)
    • Re: Update: UDP 770 Potential Worm
      ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
      (Incidents)
    • Re: IDSIPS that can handle one Gig
      ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)