Sign in to follow this  
Followers 0
siham

Wireshark results

9 posts in this topic

hi! guys

I have been using wireshark to sniff my LAN and i tried to chat with one of my housemates to see if i can get the conversation but weird enough i could only see my conversation and not hers on MSNMS

Second when i want to sniff the packets on my LAN i can only capture my packets but not the other clients.

My network interface card is on promiscuous mode, its just that i don't understand where is the mistake

0

Share this post


Link to post
Share on other sites

hi! guys

I have been using wireshark to sniff my LAN and i tried to chat with one of my housemates to see if i can get the conversation but weird enough i could only see my conversation and not hers on MSNMS

Second when i want to sniff the packets on my LAN i can only capture my packets but not the other clients.

My network interface card is on promiscuous mode, its just that i don't understand where is the mistake

Few questions:

1. Are you on a switched network or a hub? There's a monumental difference when sniffing traffic. On a switched network you won't be able to sniff ALL traffic, just traffic inbound/outbound on your port. In a hub network, you'll be able to see ALL traffic since the hub is just a layer one repeater (i.e., everything is broadcast to all ports). I would suggest learning more about the differences between layer one and layer two.

2. When you write about the MSN conversation: are you stating you did not see your housemates replies to your machine or something else? Did you use the TCP Stream feature in wireshark to examine the entire conversation? Were you mistakenly filtering the display to your IP only?

Sartre

0

Share this post


Link to post
Share on other sites

You're probably not seeing the packets because they aren't being routed through your computer. Since this is a wired setup you will probably have to do something like ARP poisoning[1][2] to make their machine think that you are the gateway and make the gateway think that you are their machine. Once this route is set up, simply have your computer act as a router and faithfully pass the packets between them and the gateway. Now that the packets are flowing through you, you will be able to sniff them.

Here is a fairly good overview of the process (published in 2001, but the principle remains the same): Introduction to ARP Poison Routing.

I also touched on this (albeit not in depth) in this post on BinRev which might interest you.

0

Share this post


Link to post
Share on other sites

I am in a wireless network not connected to any hub or switch and i think the main reason would be that i haven't done ARP poisoning that's why.

Coz to be honest i haven't thought that i need to do ARP poisoning. I just that i can grab the packets from other computers on the my wireless LAN without poisoning.

Question

2. When you write about the MSN conversation: are you stating you did not see your housemates replies to your machine or something else? Did you use the TCP Stream feature in wireshark to examine the entire conversation? Were you mistakenly filtering the display to your IP only?

Yes i didn't see my housemates repliers to my machine.Yes i did use the TCP stream feature to examine the entire converstation. I don't think that i mistakenly filtering to display to my IP only

0

Share this post


Link to post
Share on other sites

I am in a wireless network not connected to any hub or switch and i think the main reason would be that i haven't done ARP poisoning that's why.

Coz to be honest i haven't thought that i need to do ARP poisoning. I just that i can grab the packets from other computers on the my wireless LAN without poisoning.

Question

2. When you write about the MSN conversation: are you stating you did not see your housemates replies to your machine or something else? Did you use the TCP Stream feature in wireshark to examine the entire conversation? Were you mistakenly filtering the display to your IP only?

Yes i didn't see my housemates repliers to my machine.Yes i did use the TCP stream feature to examine the entire converstation. I don't think that i mistakenly filtering to display to my IP only

WiFi is essentially an extended layer 2 environment that operates somewhat like a hub in that all of the traffic is taking place on one "port" (or, more specifically, a radio). Yes, you should be able to see all of the traffic without poisoning the arp cache because you can "see" the frames before they hit the radio. You're sniffing the air, not the wire.

Do you have WEP or WPA enabled? Did you have wireshark watching the correct interface?

I'm assuming your housemate was on the same wifi. Did you see their IP at all in the trace?

0

Share this post


Link to post
Share on other sites

Do you have WEP or WPA enabled? WPA

Did you have wireshark watching the correct interface? Yes

I'm assuming your housemate was on the same wifi. Did you see their IP at all in the trace? How can i see their IP traces?

0

Share this post


Link to post
Share on other sites

Do you have WEP or WPA enabled? WPA

Did you have wireshark watching the correct interface? Yes

I'm assuming your housemate was on the same wifi. Did you see their IP at all in the trace? How can i see their IP traces?

How are you going to sniff WPA traffic?

No, not their IP traces...their IP in your traces!

Sartre

0

Share this post


Link to post
Share on other sites

Whether this is or isn't the problem, here's something to think about also...

I'm not sure how the MSN protocol works but it would be something to look into.

For instance it could send your chat messages to a server and then your friend would pick them up from the server.

This would require more than one TCP stream.

Edited by SchippStrich
0

Share this post


Link to post
Share on other sites

one more thing to look at as well would be what machine are you using (Winblows or Linux) to run Wireshark? With Linux you'll need to run the Wireshark command/script/program with sudo (if you're not using BackTrack) since you'll need to have root privs to run the card in promisc mode and get all traffic on the network

Edited by z3r0m0v3m3nt
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0