Re: packet sniffing help needed.

In order to sniff traffic between the two victims, you'd have to have
the sniffer on the same physical network. But if the network is
switched, you'd need to be on the same physical segment. However,
there are some sniffers that allow sniffing on a switched network
using ARP spoofing and such. If you are trying to sniff between two
victims over the internet, I dont believe that would be very feasible
unless you could get the sniffer on some backbone line between the two
victims. Over the internet, there's just too many paths the traffic
can take between the two to reliably try sniffing. Does that make any
sense?


On 12/6/05, Mark Knowles <ghooti@xxxxxxxxxxxxxx> wrote:
> Hi all,
>
> I have been thinking about packet sniffing and packet capture - it is
> because of all of those alerts in IE - you know the ones - This page
> is not encrypted and a 3rd party might be listening.
>
> I have been doing some googling and not really found much, but then
> I am not too sure what I am looking for.
>
> This is the setup I want to explore.
>
> Comp1(victim1) = Windows xp box, Connected via dial up to a free ISP
> Comp2(attacker) = windows/*nix, connected via broadband to different
> ISP than comp1
> Comp3(webserver/victim2)
>
> C1< ----- > C3
>
> C2---¦
>
> The image above is my attempt at ascii art - I suppose it represents
> the old style wiretap method. where C1 and C3 communicate unaware that
> their data is being listened to by C2. C2 has no power to modify the
> information.
>
> Is this sort of sniffing possible? or would it have to be more like
>
> C1 < --- > C2 < --- > C3
>
> Which is how i see MITM attacks working. - I suppose this would be
> akin to having the telephone operator relay the message, or a language
> interpreter changing the message between clients.
>
> I am currently only looking for http data, although i am assuming
> that I will have to filter that after I have gotten it all.
>
> I do not want to mess with the data, I would just like to view it.
> Would this still count as a MITM attack?
>
> I know its all a bit Hollywood, but i am really curious to see what
> information i am transmitting (non https) - and what those warnings
> really mean, are they of the McDonald$ coffee "caution contents is
> hot" type thing? which i have to say is how i view them. I understand
> how proxies cache and transmit data - are the warnings just about
> them?
>
> Any advice/ideas/whacking with a lart/etc, greatly received :)
>
> Thanks,
>
> Mark.
>


--
Dallas Jordan CCNA, CISSP

Relevant Pages

  • Re: A Solution for sniffing
    ... I've only heard/read of ways to protect against attacks on switches ... If you're a sniffer, your machine should be as discreet as you want it to be ... >Subject: Re: A Solution for sniffing ... >causing more problems associated with flooding a network. ...
    (Security-Basics)
  • Re: [inbox] Re: Counter detect Network Sniffer
    ... > to communicate with the sniffing system. ... It is not difficult to devise a sniffer detection ... Protect your network against hackers, viruses, spam and other risks with Astaro ... Security Linux, the comprehensive security solution that combines six ...
    (Focus-IDS)
  • Re: A Solution for sniffing
    ... Not only DNS, but IMO a lot things should not be run on the sniffer machine ... Subject: A Solution for sniffing ... Don't know about your network, but I know I would not want to add the extra ...
    (Security-Basics)
  • RE: A Solution for sniffing
    ... The Sniffer is now incapeable of transmitting and is ... There ARE ways to detect sniffing, ... Sniffing places the network device into promiscous mode. ... > least is by switching from a hub type network ...
    (Security-Basics)
  • Re: Firewall and IDS, (the second way).
    ... There's only two ways of detecting an IDS that I know. ... Look for the data stream from a remote sensor (sniffer) to wherever ... a network card usually discards ethernet ... This also isn't very useful for remote sniffer detection. ...
    (Vuln-Dev)