Sign in to follow this  
Followers 0
neonsavior

Sniffing troubles w\Wireshark

19 posts in this topic

I've recently began learning to use wireshark, but i have seemingly run into a problem.

I've tried sniffing via wifi and then while connected ethernet, i've sent both interfaces to capture in promiscuous mode and the only traffic

i'm getting is smb announcements, messages from the router and not much else.

I'm running vista

and using an AR5007 wifi.

0

Share this post


Link to post
Share on other sites
I've recently began learning to use wireshark, but i have seemingly run into a problem.

I've tried sniffing via wifi and then while connected ethernet, i've sent both interfaces to capture in promiscuous mode and the only traffic

i'm getting is smb announcements, messages from the router and not much else.

I'm running vista

and using an AR5007 wifi.

What kind of network are you sniffing? Coffee Shop? Hotel? etc.

0

Share this post


Link to post
Share on other sites

I'm just trying to experiment with my home network of 6 computers and Belkin54G router.

I installed wireshark on an xp box, and then later ran bt4 from a usb drive, each instance of wireshark had the same

problem, maybe i'm doing something wrong, but the only traffic i seem to be picking up is whatever come/goes from the computer running wireshark...and NB share declares and that kind of stuff.

there are plenty of packets going over the network as i'm listening to internet radio.

Edited by TheNeonSavior
0

Share this post


Link to post
Share on other sites

A sniffer is only going to pick up packets from communications on a local interface. If you want to sniff packets from other hosts on a LAN you'll need to sniff from your gateway device. If sniffing from the gateway is not an option and youre wanting to target another host on a LAN, you should look into a Man In The Middle attack.

0

Share this post


Link to post
Share on other sites

In Promiscuous Mode, you will be able to sniff traffic besides yours, that is if you are using a wireless interface and so are they.

Also if you are using a Wired interface then the only way to be able to see traffic from others that are wired would be to use a hub.

By using a bridge(brouter)router like the one you mentioned you will only get traffic that is multicasted(to you) or broadcasted.

It all comes down to how the devices work (bridges, switches, hubs etc.)

So Yeah, use a MITM attack.

Arp Poison that bitch :)

0

Share this post


Link to post
Share on other sites

I was in promiscous mode and i've tried both the wireless and ethernet layer.

i think i understand what your telling me though.

So what your saying is that i cant use wireshark to sniff tcp from the belkin54g and instead to use mitm attacks, is that because its a brand thing, or is it impossible to sniff traffic off of wireless routers?

0

Share this post


Link to post
Share on other sites
I was in promiscous mode and i've tried both the wireless and ethernet layer.

i think i understand what your telling me though.

So what your saying is that i cant use wireshark to sniff tcp from the belkin54g and instead to use mitm attacks, is that because its a brand thing, or is it impossible to sniff traffic off of wireless routers?

I'm not 100% on this but I think it' because the router is routing packets. When it gets one, it sends it to who it is for instead of sending it to everybody. That's why the switch was suggested. A switch, or hub, is pretty dumb and sends everything to everybody connected. This might part of why routers make good firewalls.

I've really got to read up on networking.

0

Share this post


Link to post
Share on other sites

Let me try to explain this again... :)

You are using a combo bridge/router (brouter). A bridge works in the same way as a switch except that a switch is a more hardware oriented device, which in turn means that data is switched faster than it would be with a bridge because a bridge is more software oriented. Also, a switch is more advanced but that is besides the purpose of this thread.

So when ever you send traffic with WIRED ethernet, the traffic will hit the brouter and the brouter will designate it to the correct ports on the LAN.

The correct ports are associated with the MAC address that are intended to receive the data.

So you can not see the traffic regardless of mode because the bridge is sending it only to the specified computers. It does this by building a table of MAC addresses and then associates this table with the physical port that the addresses are on.

But if you were using a hub, which works at the physical layer of the OSI model, then promiscuous mode will work fine because a hub is basically

a multiport repeater. It forwards all data regardless of whether the intended devices are all there (broadcast). So if your card is set in promiscuous mode when using a hub, you will see all the traffic whether addressed to you are not. Because you can see the traffic, because a hub just flooded you with everyone else's data. But if you are not in promiscuous mode then you will only see the data that is intended for you. Because your NIC will ignore the rest.

Now if you have some WIRELESS clients, more than 1. You can see their data as well as your own, if you are in promiscuous mode(and you are one of those wireless clients). Because the data is sent out in the air, your card will pick it up. But if not in promiscuous mode, once again you will only see data that is intended for you. Also, WIRED devices will not see the traffic because the traffic is in the air.

So by doing a MITM attack, this one being arp spoofing aka APR (arp poison routing) you are saying that you are someone who you really are not. Your basically an imposter, so data will get sent to you regardless.

Arp (address resolution protocol) is the protocol that maps your IP address to your MAC address. It is part of the TCP/IP suite.

I hope that clears everything up.

EDIT: By the way, A switch is a intelligent device, but a hub is not. Switches and bridges work at the Data-Link layer.

Edited by schippystrich
0

Share this post


Link to post
Share on other sites

Putting a hub on the end of a switch isnt going to help you capture any packets unless everyone is then plugged into the same hub. All trafffic on the other ports of the switch(built into the back of the router) will still be undetected. Hubs are inefficient because all traffic is broadcast out all ports eventually creating packet collisions(which then creates a lot of over head for networking protocols to resolve) causing the network to slow down. A switch separates each of its interfaces(creating collision domains) by restricting communication to hardware addresses(MACs) recorded in its arp cache. It is this layer of the OSI model where the MITM attack takes place.

Routers primarily use layer 3 packet information(creating broadcast domains) to section off or separate networks. The router's interface providing a default gateway is used by an entire subnet to reach other networks, so putting a sniffer here would provide the most information about all communication happening on the network.

0

Share this post


Link to post
Share on other sites
Putting a hub on the end of a switch isnt going to help you capture any packets unless everyone is then plugged into the same hub. All trafffic on the other ports of the switch(built into the back of the router) will still be undetected. Hubs are inefficient because all traffic is broadcast out all ports eventually creating packet collisions(which then creates a lot of over head for networking protocols to resolve) causing the network to slow down. A switch separates each of its interfaces(creating collision domains) by restricting communication to hardware addresses(MACs) recorded in its arp cache. It is this layer of the OSI model where the MITM attack takes place.

Routers primarily use layer 3 packet information(creating broadcast domains) to section off or separate networks. The router's interface providing a default gateway is used by an entire subnet to reach other networks, so putting a sniffer here would provide the most information about all communication happening on the network.

This response + my response = a pretty good brief breakdown of basic network concepts

Edited by schippystrich
0

Share this post


Link to post
Share on other sites

I've been thinking about downloading Wireshark myself, anything specific I should know about it? From what I gather it seems to work fine with Windows, except for the occasional problem....but then again, it is Windows, what doesn't hate Windows?

0

Share this post


Link to post
Share on other sites

Wireshark runs well on a lot of platforms.

It's a great sniffer.

0

Share this post


Link to post
Share on other sites

It really comes in handy when experimenting with MiTM attacks. It reads and displays the packet capture very well and its easy to see what each packet is, I highly recommend it. As for the initial topic of this post ( and although I think it's been fixed) I'll just recap it. I understand what you want to do, but you are misunderstanding. If you are looking to sniff remote packets, like on a wireless network, you must be connected to that network, not completely, mind you. If you simply fake an authentication (using tools from the aircrack suite), you can sniff the network with wireshark. As a side note, if you are the only one actually producing any kind of communications, then you will only see your packets, likewise if no one else is on the network. As for using Wireshark to sniff remote data, I am not too sure, I have never been able to figure it out, and if anyone knows this well enough, I would appreciate if you would explain this.

0

Share this post


Link to post
Share on other sites
It really comes in handy when experimenting with MiTM attacks. It reads and displays the packet capture very well and its easy to see what each packet is, I highly recommend it. As for the initial topic of this post ( and although I think it's been fixed) I'll just recap it. I understand what you want to do, but you are misunderstanding. If you are looking to sniff remote packets, like on a wireless network, you must be connected to that network, not completely, mind you. If you simply fake an authentication (using tools from the aircrack suite), you can sniff the network with wireshark. As a side note, if you are the only one actually producing any kind of communications, then you will only see your packets, likewise if no one else is on the network. As for using Wireshark to sniff remote data, I am not too sure, I have never been able to figure it out, and if anyone knows this well enough, I would appreciate if you would explain this.

d00d, it's already explained above.

Utilize the concepts by putting 1 and 1 together.

0

Share this post


Link to post
Share on other sites
A switch separates each of its interfaces(creating collision domains) by restricting communication to hardware addresses(MACs) recorded in its arp cache. It is this layer of the OSI model where the MITM attack takes place.

This statement is unclear. A MITM attack generally involves simulating the other side of the conversation without revealing the attacking side, it doesn't need to take place on a LAN. More than that, most MITM attacks in LANs are ARP poisoning or ARP spoofing attacks, and so they also "take place" in the second OSI layer.

0

Share this post


Link to post
Share on other sites
QUOTE

A switch separates each of its interfaces(creating collision domains) by restricting communication to hardware addresses(MACs) recorded in its arp cache. It is this layer of the OSI model where the MITM attack takes place.

This statement is unclear. A MITM attack generally involves simulating the other side of the conversation without revealing the attacking side, it doesn't need to take place on a LAN. More than that, most MITM attacks in LANs are ARP poisoning or ARP spoofing attacks, and so they also "take place" in the second OSI layer.

I agree with the statement being unclear, I had to read it a few times. But I'm sure what HE is trying to say that it takes place as the data-link layer(because he mentions switches in the previous sentence) which it does. And he is talking about APR.

0

Share this post


Link to post
Share on other sites

But now that you mentioned it, I am going to clarify something.........

A switch separates each of its interfaces(creating collision domains) by restricting communication to hardware addresses(MACs) recorded in its arp cache.

It's not an ARP cache, It is a MAC table.

The switch makes it's decisions based on MAC addresses in relation to their respective ports.

IP addresses are not used nor looked at(data-link).

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0