Sniffing outgoing IP
NMarkRoberts
Posts: 455
I'd like to learn how to sniff outgoing IP from a NetLinx master, which is impossible in NS2 for some reason.
"Ethereal" they say - and that is now called WireShark - I have a NetGear wireless router, and no amount of googling will tell me how use that tool with that box to tell me what was IPed to what.
Can anyone advise please?
"Ethereal" they say - and that is now called WireShark - I have a NetGear wireless router, and no amount of googling will tell me how use that tool with that box to tell me what was IPed to what.
Can anyone advise please?
0
Comments
http://www.wireshark.org/faq.html#sec7
There is information there about hubs and switches etc. What is suggested in the Wireshark FAQ is to put a non-switching hub on the WAN side of your router and plug the machine you wish to monitor with into that hub. The hub will replicate all packets to all ports. It also seems to me that you could plug your master and the PC into a hub and connect the hub to a LAN port on the router and then all the packets between the master and the router should appear on the PC port. I'm guessing that you would need a crossover cable between the hub and the router in either case, but I'm not sure about that. Maybe the router would auto-detect that.
In the Wireshark FAQ note the discussion of "promiscuous" mode.
Another solution is to use either "bridging" or "connection sharing" on your PC to route all the IP traffic through your PC. You can probably do that without adding any hardware to what you already have if your PC has both a wireless card and a wired ethernet port. Basically what you are doing is using the PC as a NAT router. I know this can be made to work because I'm using a similar setup right now. I have a PC with a couple wireless USB devices bridged with a couple ethernet cards and all traffic to the internet has to go through that PC and it can be seen with ethereal/Wireshark.
Something else along similar lines (though probably not applicable to your situation). There is a free utility for Linux called Kismet. It can be used like Network Stumbler to figure out what wireless devices are in the area. But, unlike Network Stumbler, Kismet can be used to sniff packets. From what I can gather, the output of Kismet can be used as an input to the Linux version of Wireshark for your viewing pleasure. My use of Kismet has been very limited and I've never tried to "sniff" packets from a wireless connection, so I don't know how well this would work. My guess is that even WEP encryption would defeat a simple effort to use Kismet/Wireshark in this manner.
If you are not a Linux person and you just want to mess around with this sort of thing, there is a Linux installation on a CD available for download at www.remote-exploit.org called BackTrack. You can download the iso image for a bootable cd which will run Linux on your PC without touching the hard drive. This particular Linux has Kismet and a bunch of other utilities already built and installed.
Modern routers and switches autodetect and use crossover mode as needed, so it's pretty rare to need a crossover cable unless it's between two devices.
A cheap hub is the simplest solution in my opinion.
A hub should be pretty easy, but I think that if I needed to do this what I would do would be to bridge the WIFI and ethernet on my laptop, connect the master to the LT ethernet port (probably with a crossover cable) and use the WIFI to the Linksys wireless router to the internet. Using Wireshark on either the WIFI or ethernet adapter should reveal all.
http://en.wikipedia.org/wiki/ARP_spoofing
You basically pretend to be the equipment you are trying to intercept data from. The tool in windows is (there are others, but this one is boss):
http://www.oxid.it/cain.html
Under linux I would use ettercap, it does the same thing to great effect (not kismet, thats a wireless tool). Be aware you may need to restart all equipment when you are done, including your switch. Basically, using this on a production network is a bad idea. It is however invaluable and I use it all the time for troubleshooting.
Edit: you use this alongside wireshark. You start intercepting data between hosts with cain and abel, then analyze it using wireshark.