Protocol Analyzer (aka Sniffer) Guide

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Is there a sniffer guide for dummies?
I finally got ethereal and airsnark working but I need  
to learn more about how to write filters; know which  
protocols are important. Airsnark appears to be listing  
my own MAC as an intruder, why is that,- can't it tell  
which mac is mine and not tell me I am intruding on my  
own system? Other intruders I think are my shared router.
There is an option "to watch" a mac, not sure what that  
does. One problem I encountered is that these programs  
have to be run with admin privileges and if you do not  
set ethereal to the proper adapter at the beginning,  
airsnare will lock up your system if it cannot open some  
other adapter. I am a novice at networking protocols and  
networking in general but I don't want to spend a year  
learning it, so is there is a quick guide to it  
understandably written for someone who is not an IT  
graduate? This is on a stand alone machine, shared guest  
wifi account so I do not have to worry about a personal  
network (I think!) I want to see what's going on, if there are  
privacy leaks,and so forth. Also I want to see what info  
is being sent plain text (any website passwords or other  
sensitive data). This is on a windoze xp older laptop  
1.5 ghz, 2gb ram so it's not real powerful-when I load  
mozilla and close it, takes a few moment for screen to  
refresh back to airsnare for example.

Re: Protocol Analyzer (aka Sniffer) Guide
On 12/2/2013 1:34 AM, Dave U. Random wrote:
Quoted text here. Click to load it

If you can load wireshark, it is filters for the traffic.

A good operating system won't let just anyone sniff packets. I'm pretty  
sure opensuse requires root/admin permission to run wireshark. [Suse  
tends to run at a bit higher security than morst distributions.]

Watching a mac is not going to be very useful since you don't know the  
mac of the intruder.

It is airsnare, not airsnark. ;-)

Your problem is the vast majority of penetration users are on linux. I'm  
sure there are windows penetration testing tools, but backtrack linux is  
the gold standard. If I hired a network security analyst and he/she  
showed up running windows anything, I'd kick them out the door.

I have no idea how airsnare works, but with Kismet, you need to park the  
sniffer on the channel you are using if you want to sniff ALL your wifi  
traffic. Most wifi sniffing tools will cycle through all the channels.

It isn't clear to me what you are doing, but to test wifi network  
penetration, you need to only access the network via wifi. This is  
really going to take two computers, or at least two wifi clients. You  
could access your wifi with a cellphone, but then sniff it with a  
computer using a wifi adapter.

Again, I have no idea how this is done on windows, but with linux, you  
run kismet, park on the channel you want to monitor, then sniff the  
packets on what is generally wlan0.

Step number one is to pretend you are some hacker wearing a Guy Fawkes  
mask. And I assure you, they are not running windows.

Re: Protocol Analyzer (aka Sniffer) Guide
Quoted text here. Click to load it

Is it really that hard to stick 10 (plus built-in wifi, adjusted for
whatever number of channels are legal in your country) USB wifi dongles
onto a system and sniff everything at once?

thinking, no, it is not hard at all, but hasn't tried

Re: Protocol Analyzer (aka Sniffer) Guide
On 12/2/2013 11:11 PM, Eli the Bearded wrote:
Quoted text here. Click to load it

Well it would cost about $250 for that many devices. ;-) Otherwise  
Kismet can use more than one wifi device. I have no idea what the upper  
limit is since I never ran more than two.

Nobody really war drives these days, though I have done so in remote  
areas to learn where to er um eh borrow wifi. I had considered running  
two dongles with a high gain antenna on each dongle, then point them out  
of the drivers side and passenger side of the car.

But to sniff yourself, you just park kismet on the channel you are using.

In the boonies, you often find some point to point wifi links. Besides  
the WISP vendors, there is the "internet of things." A lot of telemetry  
for radio sites, trains, weather, etc. goes over wifi. Given the nature  
of wifi security, one assume nothing critical goes over it.

Re: Protocol Analyzer (aka Sniffer) Guide
On Mon,  2 Dec 2013 10:34:54 +0100 (CET), Dave U. Random

Quoted text here. Click to load it

    Ethereal died sometime back in the win98's. It's called
Wireshark now. Wireshark has an online users guide, so you can learn
the filters easily.

    User guide in pdf on the page

    You might look into aircrack-ng. Can be used for cracking, but
most useful for sniffing, like a kismet without the gui. But you would
probably need Linux for that.

Don't be evil - Google 2004
We have a new policy  - Google 2012

Re: Protocol Analyzer (aka Sniffer) Guide

Quoted text here. Click to load it
you seem to be confusing sniffing a RADIO link - ala WiFi -
with the resulting ETHERNET traffic - ala web pages, plain text, etc.

If I want to see what's going around my "network",
I just park a monitor on the Ethernet side...
which has it's own challenges what with "switch" vs "hub" ports
trying to gain access to all traffic on a network segment.

Re: Protocol Analyzer (aka Sniffer) Guide
On 12/4/2013 12:32 PM, ps56k wrote:
Quoted text here. Click to load it

But as I pointed out, and perhaps not too clearly, you want to sniff the  
wifi packets, not the ethernet. That is, you want to see what the hacker  
would see. This requires two computers as far as I know. One computer  
being your regular client. The other computer has the wifi packet sniffer.

Re: Protocol Analyzer (aka Sniffer) Guide
miso (for it is he) wrote:

Quoted text here. Click to load it

I don't see why it would, if you're specifically interested in just one  
machine: do the sniffing on that one machine.


Re: Protocol Analyzer (aka Sniffer) Guide
On 12/8/2013 2:44 AM, alexd wrote:
Quoted text here. Click to load it

It it help if I could draw a diagram, but hey, this is usenet.

If you use one machine, you are on the lan side. Yeah, you could run  
wireshark with filters. I rather have a second sniffer and look at the  
wifi packets independent of what is going on my lan. Further, you can  
detect spoofing of wifi clients if the signal strength is fluttering.  
Kismet has an IDS mode built in, but I haven't use it, so I can only  
generally how it works.

There are hacks to set up Kismet drones on routers, but they look like  
work. I think an old PC or even a Beagleboard would be the way to go.  
I've compiled Kismet, so going Arm shouldn't be an issue if the  
repository doesn't have Kismet.

Site Timeline