One of my co-workers needs some help packet sniffing. She has this file she is sending out and it must be losing part of the AR2 header. She wants me to check the file going from her machine to the firewall, and from the firewall out. I have currently have the software Ethereal, but can't quite figure it completely out. I have it monitoring her MAC address for all packets leaving her machine. But how do I pin point a certain file? Any and all help is appreciated.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Need help with Packet sniffing
- Thread starter D3rk
- Start date
Fint said:Maybe you are only searching dest. mac?
Sounds about right to me. Poke around in ethereal, I think there is a Session Reassembly option that might help you out.
Also, if you are doing the sniffing legitimately, no need for ettercap as the other poster reccomended, you can just slap a hub on the connection and sniff there.
-PHiZ
The easiest way for you to catch her traffic is to watch her machine and coordinate with her to send the file out. As soon as she says she's sending it, you should see a flood of packets on your ethereal session. You can right click on a TCP packet and select "Follow TCP stream" to filter out only that particular stream.
Note that the file transmission may be encoded so you cant readily view the contents of the file or even the file name that she's sending. But if there are errors during the transmission, or the receiver sends back an error code in plain text, you'll see it.
Note that the file transmission may be encoded so you cant readily view the contents of the file or even the file name that she's sending. But if there are errors during the transmission, or the receiver sends back an error code in plain text, you'll see it.
big daddy fatsacks
2[H]4U
- Joined
- Aug 10, 2001
- Messages
- 2,312
i've never felt really comfortable using ethereal so i usually rely on tcpdump. i think (don't quote me cause this is right off the top of my head) that something like the following would show you all you need. they will capture entire pkts in hex which you can then decode later after you've generated these files for analysis.
if the firewall is a *nix machine working as a firewall then you can do the following:
run this command in one window
tcpdump -xx -s 0 -i <ext_if_name> (src host <coworker_machine> dst host <other_machine>) or (src host <other_machine> dst host <coworker_machine>) >> outside.cap
run this in another
tcpdump -xx -s 0 -i <int_if_name> (src host <coworker_machine> dst host <other_machine>) or (src host <other_machine> dst host <coworker_machine>) >> inside.cap
then transfer the file. you can then use whatever you want to load up the 2 files and analyze them later.
if you cannot run tcpdump ON the firewall you'll need to put a computer on the inside of the firewall and another outside the firewall preferably attached to hubs so they can see all the traffic. run the following command on both changing the filename on each to correspond to inside or outside.
tcpdump -xx -s 0 -i <if_name> (src host <coworker_machine> dst host <other_machine>) or (src host <other_machine> dst host <coworker_machine>) >> <fielname>.cap
if the firewall is a *nix machine working as a firewall then you can do the following:
run this command in one window
tcpdump -xx -s 0 -i <ext_if_name> (src host <coworker_machine> dst host <other_machine>) or (src host <other_machine> dst host <coworker_machine>) >> outside.cap
run this in another
tcpdump -xx -s 0 -i <int_if_name> (src host <coworker_machine> dst host <other_machine>) or (src host <other_machine> dst host <coworker_machine>) >> inside.cap
then transfer the file. you can then use whatever you want to load up the 2 files and analyze them later.
if you cannot run tcpdump ON the firewall you'll need to put a computer on the inside of the firewall and another outside the firewall preferably attached to hubs so they can see all the traffic. run the following command on both changing the filename on each to correspond to inside or outside.
tcpdump -xx -s 0 -i <if_name> (src host <coworker_machine> dst host <other_machine>) or (src host <other_machine> dst host <coworker_machine>) >> <fielname>.cap
Once you find a packet that you know is part of the process you can select Analyze - Folow TCP stream. That is if it is using TCP and not udp. The output creates a filter as well as dumps the payload of the packets in a linear form, so you can read it easly.
If you dont know what you need to do to get it installed in windows, I would install the xtra version. basicaly they package it for easy install.
big daddy fatsacks
2[H]4U
- Joined
- Aug 10, 2001
- Messages
- 2,312
windump will put everything out to your screen. the ">>" means append the output to a file.
btw, i can't recall off the top of my head, but i'm pretty sure when you use that no outputwill go to your screen. it all gets redirected to the file. hit ctrl + C to stop windump. also, there is a way to output to both the screen AND a file, but i'd need to have my unix book handy to tell you that command.
btw, i can't recall off the top of my head, but i'm pretty sure when you use that no outputwill go to your screen. it all gets redirected to the file. hit ctrl + C to stop windump. also, there is a way to output to both the screen AND a file, but i'd need to have my unix book handy to tell you that command.