Network Packet Sniffing With Linux

Here’s a chance to learn a little bit about network security. This article walks us through some of the core concepts of network manipulation and packet sniffing using Linux tools. [Joey Bernard] discusses the uses for packages like tcpdump, p0f, and dsniff. They are capable of recording all network traffic coming through your computer’s connection, seeking out machines installed on the network, and listening to traffic for a specific machine. This isn’t going to give you a step-by-step for cracking modern networks. It will provide some insight on what is going on with your network and you should be able to purpose these tools to check that you’ve got adequate security measures in place.

22 thoughts on “Network Packet Sniffing With Linux

  1. @tehgringe: Me too…. But when you’ve built a computer from junk that has a .751 GHz CPU and .504 GB of RAM, and it runs XP, you’re grateful. Especially because you can’t afford anything else.

    And then you learn, that it won’t do anything because it’s not Macintosh or Ubuntu. So you decide to get “Linux”.

    But which one? There are tons…. So you just stick with what you know, what “works for you”. Windows. More like, Faildos. But w/e….

    P.S. Here’s my computer for real:

  2. @Jordan:

    If you ever want to give Linux a shot, try Mandriva. Or Ubuntu I guess, though in my experience, Ubuntu tends to…not work.

    Anyway, anything else will probably be a bit of a challenge to just try it out…but Mandriva is incredibly simple to install, and once it’s installed the main system will be similar enough to Windows that you won’t have any issues. If you get the “Mandriva One” package, you can even run it straight of the CD without installing anything.

  3. @Jordan – if you really got XP running on that, then fair dos.

    Also, I can appreciate the challenge of doing things on a budget – the one lesson here though, and is backed u by earlier comments here, it that there are a lot of things that you can do/get for free on Linux.

    It is probably worth taking the time to learn to use it, and you’ll get something linux flavoured running on your machine.

    Also, try Back Track if you want to start having a poke around network forensics.

  4. Another thing to consider seeing as we are on the discussion of costs – I’ve recently started playing around with Splunk, its a nice Management Information System, geared specifically towards digesting logs from various IT systems, and there is a free version if you are loading netflow or other syslog files less than 500mb a day.

    It uses flash though, which sucks balls, but I heard that a next major update will use HTML5.

  5. @Jordan I have an old laptop (500MHz, 256Mb of ram) and the latest build of Ubuntu + LXDE (a light desktop environment) run pretty well on it.
    In fact, my laptop boot faster than my ipod touch.

    btw, it seems that on windows some network operation (e.g. wireless packet injection) are not possible/harder to do. Never check it out, though …

  6. @yup: I don’t know what issues you’re having, but I’m watching WireShark cap my wifi right now with no dongle, for $0. All I installed was winpcap. Perhaps because I’m using RNDIS?

  7. Or, you know, you could stop being skiddy. Packet sniffing is not hacking by any means. It’s a useful technique to determine what sort of crap is flying through your networking and messing stuff up. Wireshark can do wireless, you’re probably not skilled enough to click the two buttons to get it to work, and packet sniffing is not dangerous unless you are a newb.

    Sniffing is not old school. It’s something that’s used everyday, all the time. Melle Mel is old skool. This article should be called “Sensationalism: how to be 5 years old and get shut the fuck down by your ISP cause you’re lookin’ all suspicious port scanning boxes you don’t own.”

    BTW, tcpdump sux a dick. Airodump is where it’s at!

  8. The article was about sniffing packets on a bridge network, but also advised against actively scanning because a “good admin” might notice. Problem? “Good admins” almost always use switches and routers. At any rate, there are few “good admins,” and chances that you’d find a bridge network are rare because switches are cheap and commonplace.

  9. Sniffing is usually a passive process. Unless a ‘good admin’ is constantly scanning for promiscuous cards you don’t need to worry. Running a quick capture in a non-promiscuous mode will quickly tell you whether or not an admin is indeed detecting promisc mode machines based on ARP requests. Just set up reliable response rules for ARP and you’re DTF. And it’s really just a question of how high up on a tree you can get if everything is switched (assuming they’re using either a higher end lvl 2 or greater switch.) You’re only as confined as the person who wrote the scripts you’re using made you.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.