1. Packet Sniffing Hans Kokx www.hadak.org hans@hadak.org

2. Overview What is packet sniffing? Of what use is packet sniffing to us? What can I use to sniff packets?

3. What is packet sniffing? Packet sniffing refers to the collection and analysis of data packets (including contents) as they transit the network. http://nces.ed.gov/pubs2003/secureweb/glossary.asp

4. Application Packet sniffing can be used to monitor a network for intruders and malware. You can intercept usernames and passwords. Analyze network problems Gather network usage statistics Reverse engineer proprietary network protocols Debug client/server communications

5. Programs dsniff Etherape Cain and Abel Ettercap Kismet Tcpdump Wireshark (ethereal) Snoop httpry

6. dsniff Sniffs passwords out of a tcp stream or pcap dump. Example: dsniff -i wlan0 -m Mac OS X, Linux, BSD, Solaris: BSD

7. etherape Displays network activity graphically. Mac OS X, Linux, BSD, Solaris: GPL

8. Cain and Abel Windows only Password cracker, packet sniffer and much, much more. Windows: Freeware

9. ettercap Sniffer and content filter designed for MiTM Can be used to intercept passwords Windows, Mac OS X, Linux, BSD, Solaris: GPL

10. kismet Requires monitor mode on your wireless card. Only sniffs 802.11a,b,g Works passively Able to detect presence of wirelss access points and clients, and associate with each other. Able to detect active wireless sniffing programs and wireless network attacks Ability to dump sniffed packets to a pcap file. Windows, Mac OS X, Linux, BSD: GPL

11. tcpdump Cli tool designed to log network traffic into a pcap file Pcap files can be imported by many, if not most, network analyzers. Windows, Mac OS X, Linux, BSD, Solaris: BSD

12. Wireshark Used to be ethereal, until a trademark issue in May 2006 (when the author left the company he was working for, and they retained the rights to the name. The code, however, was GPL'd.) Very similar to tcpdump, but with a GUI Has many filtering and sorting options Windows, Mac OS X, Linux, BSD, Solaris: GPL

13. snoop Cli packet sniffer for Sun's Solaris. Comes bundled with Solaris. Can display packets as they are received or dump them to a file IPv4 and IPv6 support Very similar to tcpdump RFC 1761 Solaris: CDDL

14. httpry Specialized packet sniffer designed for displaying and logging HTTP traffic Designed to capture, parse, and log traffic for later analysis Can be run in real-time to display traffic, or as a daemon to log to an output file. Linux, BSD, (probably) Solaris: GPL

15. Obtaining the tools Dsniff - http://monkey.org/~dugsong/dsniffhttp://monkey.org/~dugsong/dsniff Etherape - http://etherape.sourceforge.nethttp://etherape.sourceforge.net Cain and Abel – http://www.oxid.ithttp://www.oxid.it Ettercap - http://ettercap.sourceforge.nethttp://ettercap.sourceforge.net Kismet - http://www.kismetwireless.nethttp://www.kismetwireless.net Tcpdump - http://www.tcpdump.orghttp://www.tcpdump.org Wireshark - http://www.wireshark.orghttp://www.wireshark.org Snoop – part of Sun's Solaris Httpry - http://dumpsterventures.com/jason/httpry http://dumpsterventures.com/jason/httpry

16. Thank you! Be sure to visit www.hadak.org for great Linux, Windows, and Mac OS X tips, tricks, and scripts!www.hadak.org For more information, feel free to email me at: hans@hadak.org