Re: Dsniff not sniffing properly

[Hari Sekhon <hpsekhon () googlemail com>]

yes I am aware of all this, the question is not how to do man in the 
middle attacks but rather if anyone can think of a reason why dsniff 
isn't picking up the traffic going out of the interface. I only have 1 
network card in this workstation so it must be going across the same 
interface, but nothing is showing.

-h

Hari Sekhon



Zhihao wrote:
> If you can sniff from a local machine without entering promiscuous mode it
> means u r sniffing on the interface all traffic is entering and leaving,
> hence u will have no problems sniffing at all (local machine)
>
> If you are trying to sniff in a switched environment, ettercap is probably a
> better choice. It will allow u to poison the arp caches and execute a
> man-in-the-middle attack, capturing all traffic flowing through.
>
> Alternatively...u might wanna consider using a tool like macof. It comes
> with the dsniff package. Basically by using macof, u will flood the switch
> with arp replies, putting the switch into fail-open mode. It will then send
> traffic to every port, including the port where the sniffing interface is
> connected to, enabling u to sniff the passwords as well.
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Hari Sekhon
> Sent: Saturday, 14 April, 2007 12:09 AM
> To: security-basics () securityfocus com
> Subject: Dsniff not sniffing properly
>
> Hi,
>    I have dsniff on 2 linux laptops, one Debian, one Gentoo and it works 
> fine, if I run it on the local machine and then from the same machine 
> log in to a remote ftp server on my local network as a test it sniffs 
> the authentication pair and displays it.
>
> However, I have it on another workstation (Gentoo Linux) and if I run 
> dsniff as root, it starts sniffing on eth0, my only network interface 
> and the one I am connected to my lan through. I then log in to the same 
> ftp server again and it remains blank.
>
> # dsniff
> dsniff: listening on eth0
> <lots of nothing here>
>
> Even after I log out of the ftp server there is still nothing (upon 
> logout is when it usually displays the creds to me)
>
> So the question is, what is wrong with dsniff on my workstation?
> lspci says I have the following network card:
>
> 04:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5754 
> Gigabit Ethernet PCI Express (rev 02)
>
> Is the network card somehow crippled to prevent this? (In which case 
> there should be mass boycott of this card)
>
> It doesn't even need to be in promiscuous mode in order to sniff from 
> the local machine. Why is it not working?
>
>