Network packet sniffing with Linux

Here’s a chance to learn a little bit about network security. This article walks us through some of the core concepts of network manipulation and packet sniffing using Linux tools. [Joey Bernard] discusses the uses for packages like tcpdump, p0f, and dsniff. They are capable of recording all network traffic coming through your computer’s connection, seeking out machines installed on the network, and listening to traffic for a specific machine. This isn’t going to give you a step-by-step for cracking modern networks. It will provide some insight on what is going on with your network and you should be able to purpose these tools to check that you’ve got adequate security measures in place.

Comments

  1. Jordan says:

    Man, I wish HaD would do an article on:
    “Network packet sniffing withOUT Linux”

  2. tehgringe says:

    Man I wish Windows users didn’t bitch about having a shit OS.

  3. strider_mt2k says:

    Man, I wish I had a ham sandwich…

    You can try domestic ham
    You can try domestic ham

    Domestic ham is good enough.

  4. Pilotgeek says:

    Use Wireshark. Great network traffic monitor, and it runs on just about any OS.

  5. yup says:

    wireshark can’t do wireless unless you have airpcap, which costs $695 for a dongle. Might as well go with linux, it’s free.

  6. truthspew says:

    tcpdump -Annpi eth0 port nnn -s 0

    Glad to help!

  7. Durgledoggy says:

    @strider_mt2k: Shut up! Now I have to go eat … you bastard!

  8. Jordan says:

    @tehgringe: Me too…. But when you’ve built a computer from junk that has a .751 GHz CPU and .504 GB of RAM, and it runs XP, you’re grateful. Especially because you can’t afford anything else.

    And then you learn, that it won’t do anything because it’s not Macintosh or Ubuntu. So you decide to get “Linux”.

    But which one? There are tons…. So you just stick with what you know, what “works for you”. Windows. More like, Faildos. But w/e….

    P.S. Here’s my computer for real:

    https://sites.google.com/site/strykerspictures/picture-storage/untitled.bmp?attredirects=0

  9. Dan says:

    ngrep is a good tool if you know what you are looking for (e.g. keywords). It’s basically grep for packets.

  10. Urza9814 says:

    @Jordan:

    If you ever want to give Linux a shot, try Mandriva. Or Ubuntu I guess, though in my experience, Ubuntu tends to…not work.

    Anyway, anything else will probably be a bit of a challenge to just try it out…but Mandriva is incredibly simple to install, and once it’s installed the main system will be similar enough to Windows that you won’t have any issues. If you get the “Mandriva One” package, you can even run it straight of the CD without installing anything.

  11. tehgringe says:

    @Jordan – if you really got XP running on that, then fair dos.

    Also, I can appreciate the challenge of doing things on a budget – the one lesson here though, and is backed u by earlier comments here, it that there are a lot of things that you can do/get for free on Linux.

    It is probably worth taking the time to learn to use it, and you’ll get something linux flavoured running on your machine.

    Also, try Back Track if you want to start having a poke around network forensics.

  12. tehgringe says:

    Another thing to consider seeing as we are on the discussion of costs – I’ve recently started playing around with Splunk, its a nice Management Information System, geared specifically towards digesting logs from various IT systems, and there is a free version if you are loading netflow or other syslog files less than 500mb a day.

    It uses flash though, which sucks balls, but I heard that a next major update will use HTML5.

  13. Chris says:

    @Jordan I have an old laptop (500MHz, 256Mb of ram) and the latest build of Ubuntu + LXDE (a light desktop environment) run pretty well on it.
    In fact, my laptop boot faster than my ipod touch.

    btw, it seems that on windows some network operation (e.g. wireless packet injection) are not possible/harder to do. Never check it out, though …

  14. M4CGYV3R says:

    @Jordan:
    Step 1: Install WireShark.
    Step 2: Run It
    Step 3: You’re already done.

  15. M4CGYV3R says:

    @yup: I don’t know what issues you’re having, but I’m watching WireShark cap my wifi right now with no dongle, for $0. All I installed was winpcap. Perhaps because I’m using RNDIS?

  16. ReKlipz says:

    Windows LSP – Best way to sniff traffic _ever_. /fail

  17. ali says:

    This could be risky!! :S

  18. Marcus says:

    Even Ubuntu + Xplico ( http://xplico.org ) is a good choice.

  19. Grapetrain says:

    Or, you know, you could stop being skiddy. Packet sniffing is not hacking by any means. It’s a useful technique to determine what sort of crap is flying through your networking and messing stuff up. Wireshark can do wireless, you’re probably not skilled enough to click the two buttons to get it to work, and packet sniffing is not dangerous unless you are a newb.

    Sniffing is not old school. It’s something that’s used everyday, all the time. Melle Mel is old skool. This article should be called “Sensationalism: how to be 5 years old and get shut the fuck down by your ISP cause you’re lookin’ all suspicious port scanning boxes you don’t own.”

    BTW, tcpdump sux a dick. Airodump is where it’s at!

  20. Bobby Joe says:

    The article was about sniffing packets on a bridge network, but also advised against actively scanning because a “good admin” might notice. Problem? “Good admins” almost always use switches and routers. At any rate, there are few “good admins,” and chances that you’d find a bridge network are rare because switches are cheap and commonplace.

  21. Grapetrain says:

    Sniffing is usually a passive process. Unless a ‘good admin’ is constantly scanning for promiscuous cards you don’t need to worry. Running a quick capture in a non-promiscuous mode will quickly tell you whether or not an admin is indeed detecting promisc mode machines based on ARP requests. Just set up reliable response rules for ARP and you’re DTF. And it’s really just a question of how high up on a tree you can get if everything is switched (assuming they’re using either a higher end lvl 2 or greater switch.) You’re only as confined as the person who wrote the scripts you’re using made you.

  22. Jordan says:

    Ok, so do I download WireShark or Linux+Aircrack?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,345 other followers