Security Basics mailing list archives
Re: Dsniff not sniffing properly
From: Hari Sekhon <hpsekhon () googlemail com>
Date: Wed, 18 Apr 2007 11:28:59 +0100
no no noI have run dsniff on a couple of laptops and from those same laptops conducted an ftp session to see the auth pair grabbing work. Ie from the same machine as dsniff is running I open a session to a remote ftp server.
Now I try it on a 3rd machine and do exactly the same again, start dsniff and then in a separate terminal on same the dsniff machine I open an ftp session to see if it will grab the auth pair as it normally does.
But dsniff stays silent, even after the session is closed, the auth pair never appear in dsniff.
There is no remote sniffing, I know how to mitm but I'm not testing mitm, I'm just testing if dsniff can sniff on the local machine, not another machine.
I've used dsniff remotely with mitm but this time it was not working so I tested it locally and found that dsniff was just not sniffing stuff even on the local interface.
There is only 1 NIC, eth0, so it can't even be listening on the wrong interface.
-h Hari Sekhon Aaron Howell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hari Sekhon wrote:Hi, I have dsniff on 2 linux laptops, one Debian, one Gentoo and it works fine, if I run it on the local machine and then from the same machine log in to a remote ftp server on my local network as a test it sniffs the authentication pair and displays it. However, I have it on another workstation (Gentoo Linux) and if I run dsniff as root, it starts sniffing on eth0, my only network interface and the one I am connected to my lan through. I then log in to the same ftp server again and it remains blank. # dsniff dsniff: listening on eth0 <lots of nothing here> Even after I log out of the ftp server there is still nothing (upon logout is when it usually displays the creds to me) So the question is, what is wrong with dsniff on my workstation?If I am reading this correctly, you are running dsniff on Host A, then logging on to the FTP server from the same machine, which works as expected. You then run dsniff on Host B, and try logging into the FTP server from Host A, and get nothing. Everything from this point on follows those assumptions, so if they are wrong, disregard. A: Generally speaking sniffers do not work in a switched ethernet environment.[1] and B: This is not always true.[2] If you are sniffing on the local host, you will see everything that passes over the ethernet interface. If you are sniffing the NETWORK (ie. looking for traffic that isn't destined for your host via broadcast, multicast, or unicast), you have to be in promiscuous mode. This seems to be the most likely problem.lspci says I have the following network card: 04:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5754 Gigabit Ethernet PCI Express (rev 02) Is the network card somehow crippled to prevent this? (In which case there should be mass boycott of this card) It doesn't even need to be in promiscuous mode in order to sniff from the local machine. Why is it not working?I find it highly unlikely that your ethernet card would be crippled in this manner. See my quick and dirty explanation above for a simple reason why dsniff isn't working. For a more in-depth understanding, take a look at the footnotes below. Good Luck, Aaron [1]http://en.wikipedia.org/wiki/Packet_sniffer [2]http://www.monkey.org/~dugsong/dsniff/faq.html#How%20do%20I%20sniff%20in%20a%20switched%20environment -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFGIXjr7MF9x9aUuGIRApqDAJ92QDAU9P8R+y5+4nLKL4Dbyh5ncwCcD/r0 g8jXslt+PuXw4Xl2J60RzG0= =7THT -----END PGP SIGNATURE-----
Current thread:
- Dsniff not sniffing properly Hari Sekhon (Apr 13)
- RE: Dsniff not sniffing properly Zhihao (Apr 17)
- Re: Dsniff not sniffing properly Hari Sekhon (Apr 16)
- Message not available
- Re: Dsniff not sniffing properly Hari Sekhon (Apr 18)
- Re: Dsniff not sniffing properly Jason Ross (Apr 18)
- Re: Dsniff not sniffing properly Hari Sekhon (Apr 18)
- RE: Dsniff not sniffing properly Zhihao (Apr 17)