Jump to content


Photo
- - - - -

Wireshark results


  • Please log in to reply
8 replies to this topic

#1 mystiques

mystiques

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 17 posts
  • Gender:Female

Posted 25 June 2010 - 12:59 AM

hi! guys

I have been using wireshark to sniff my LAN and i tried to chat with one of my housemates to see if i can get the conversation but weird enough i could only see my conversation and not hers on MSNMS

Second when i want to sniff the packets on my LAN i can only capture my packets but not the other clients.

My network interface card is on promiscuous mode, its just that i don't understand where is the mistake

#2 sartre

sartre

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 12 posts
  • Gender:Male
  • Location:Los Angeles

Posted 28 June 2010 - 10:57 AM

hi! guys

I have been using wireshark to sniff my LAN and i tried to chat with one of my housemates to see if i can get the conversation but weird enough i could only see my conversation and not hers on MSNMS

Second when i want to sniff the packets on my LAN i can only capture my packets but not the other clients.

My network interface card is on promiscuous mode, its just that i don't understand where is the mistake


Few questions:

1. Are you on a switched network or a hub? There's a monumental difference when sniffing traffic. On a switched network you won't be able to sniff ALL traffic, just traffic inbound/outbound on your port. In a hub network, you'll be able to see ALL traffic since the hub is just a layer one repeater (i.e., everything is broadcast to all ports). I would suggest learning more about the differences between layer one and layer two.

2. When you write about the MSN conversation: are you stating you did not see your housemates replies to your machine or something else? Did you use the TCP Stream feature in wireshark to examine the entire conversation? Were you mistakenly filtering the display to your IP only?

Sartre

#3 n3xg3n

n3xg3n

    "I Hack, therefore, I am"

  • Members
  • 960 posts
  • Country:
  • Gender:Male
  • Location:(703)

Posted 28 June 2010 - 01:03 PM

You're probably not seeing the packets because they aren't being routed through your computer. Since this is a wired setup you will probably have to do something like ARP poisoning[1][2] to make their machine think that you are the gateway and make the gateway think that you are their machine. Once this route is set up, simply have your computer act as a router and faithfully pass the packets between them and the gateway. Now that the packets are flowing through you, you will be able to sniff them.

Here is a fairly good overview of the process (published in 2001, but the principle remains the same): Introduction to ARP Poison Routing.
I also touched on this (albeit not in depth) in this post on BinRev which might interest you.

#4 mystiques

mystiques

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 17 posts
  • Gender:Female

Posted 29 June 2010 - 11:17 AM

I am in a wireless network not connected to any hub or switch and i think the main reason would be that i haven't done ARP poisoning that's why.

Coz to be honest i haven't thought that i need to do ARP poisoning. I just that i can grab the packets from other computers on the my wireless LAN without poisoning.

Question
2. When you write about the MSN conversation: are you stating you did not see your housemates replies to your machine or something else? Did you use the TCP Stream feature in wireshark to examine the entire conversation? Were you mistakenly filtering the display to your IP only?

Yes i didn't see my housemates repliers to my machine.Yes i did use the TCP stream feature to examine the entire converstation. I don't think that i mistakenly filtering to display to my IP only

#5 sartre

sartre

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 12 posts
  • Gender:Male
  • Location:Los Angeles

Posted 29 June 2010 - 01:21 PM

I am in a wireless network not connected to any hub or switch and i think the main reason would be that i haven't done ARP poisoning that's why.

Coz to be honest i haven't thought that i need to do ARP poisoning. I just that i can grab the packets from other computers on the my wireless LAN without poisoning.

Question
2. When you write about the MSN conversation: are you stating you did not see your housemates replies to your machine or something else? Did you use the TCP Stream feature in wireshark to examine the entire conversation? Were you mistakenly filtering the display to your IP only?

Yes i didn't see my housemates repliers to my machine.Yes i did use the TCP stream feature to examine the entire converstation. I don't think that i mistakenly filtering to display to my IP only


WiFi is essentially an extended layer 2 environment that operates somewhat like a hub in that all of the traffic is taking place on one "port" (or, more specifically, a radio). Yes, you should be able to see all of the traffic without poisoning the arp cache because you can "see" the frames before they hit the radio. You're sniffing the air, not the wire.

Do you have WEP or WPA enabled? Did you have wireshark watching the correct interface?

I'm assuming your housemate was on the same wifi. Did you see their IP at all in the trace?

#6 mystiques

mystiques

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 17 posts
  • Gender:Female

Posted 30 June 2010 - 04:22 PM

Do you have WEP or WPA enabled? WPA
Did you have wireshark watching the correct interface? Yes

I'm assuming your housemate was on the same wifi. Did you see their IP at all in the trace? How can i see their IP traces?

#7 sartre

sartre

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 12 posts
  • Gender:Male
  • Location:Los Angeles

Posted 01 July 2010 - 09:51 AM

Do you have WEP or WPA enabled? WPA
Did you have wireshark watching the correct interface? Yes

I'm assuming your housemate was on the same wifi. Did you see their IP at all in the trace? How can i see their IP traces?


How are you going to sniff WPA traffic?

No, not their IP traces...their IP in your traces!

Sartre

#8 SchippStrich

SchippStrich

    SUP3R 31337 P1MP

  • Members
  • 293 posts
  • Country:
  • Gender:Male
  • Location:USA

Posted 14 July 2010 - 01:39 PM

Whether this is or isn't the problem, here's something to think about also...

I'm not sure how the MSN protocol works but it would be something to look into.
For instance it could send your chat messages to a server and then your friend would pick them up from the server.
This would require more than one TCP stream.

Edited by SchippStrich, 14 July 2010 - 01:41 PM.


#9 z3r0m0v3m3nt

z3r0m0v3m3nt

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male
  • Location:Indiana

Posted 28 July 2011 - 07:36 PM

one more thing to look at as well would be what machine are you using (Winblows or Linux) to run Wireshark? With Linux you'll need to run the Wireshark command/script/program with sudo (if you're not using BackTrack) since you'll need to have root privs to run the card in promisc mode and get all traffic on the network

Edited by z3r0m0v3m3nt, 28 July 2011 - 07:36 PM.





BinRev is hosted by the great people at Lunarpages!