dsniff cannot see connections
Gad
I'm trying to use dsniff to sniff my own lan.
However, it doesn't see _anything_, even when I'm
busy telnetting/ftping/whatever from the machine I'm
sniffing on to the other machine.
Both machines are connected via ethernet, and dsniff
is listening to device eth0.
The version is 2.4b1 and I'm running Debian unstable.
Also, can dsniff sniff ppp connections? It seems to only handle
ethernet.
Any ideas?
Thanks,
Gad
muesli
hi gad,
i have the same problem, but i think it's ok like that!
1. man dsniff says, that the output-format is a berkeley-db-formatted
file
2. even if i used the -w parameter and specified a file to write
outputs in, the file was cryptic, seemed even binary and not readable
so for that reasons it obviously normal that dsniff does no output on
standardoutput (console...)
if i am wrong, please tell me. for so far i think it's ok what we
saw (nothin' :-) )!
best greetings from würzburg, müsli
--
---------------------------------------------------------------------
Markus Müssig MULTA MEDIO Informationssysteme AG
Mergentheimer Str. 76a
97082 Würzburg
mailto:mmue...@multamedio.de Tel: +49 (0)931 79717- 0
http://www.multamedio.de Fax: +49 (0)931 79717-30
Thomas Neumann
have you enabled ip_forwarding? (echo 1 > /proc/sys/net/ip...)
Try to type dsniff -i eth0.
Thomas
muesli
hi gad,
IMHO ip_forwarding has nothing to do with captuing packets with dsniff.
of course it is necessary, if you want your router to provide inter-
net connectivity for your local lan, but if he gets connected success-
full via telnet between two lan-clients, network works fine!
for problems connecting to internet this would be important to check!
correct me, if i am wrong!
greetings, müsli
Thomas Neumann
http://www.linuxsecurity.com/feature_stories/feature_story-89.html
have a look at point 2!
Cedric Blancher
> For both of you a how-to for using dsniff:
> http://www.linuxsecurity.com/feature_stories/feature_story-89.html have
> a look at point 2!
I can confirm. IP forwarding as nothing to do with packet capturing.
This document implements ARP cache poisoning to get packets redirected to
your box, in order to capture them. But, once you get thoses packets, you
need to send them back to legitimate destination not to generate DoS.
Thus, you need to activate IP forwarding.
In Gad's case, no packet redirection is needed as he runs dsniff on one of
the two boxes that communicates. So, he does not need arpspoof and does
not need IP forwarding.
--
BOFH excuse #79:
Look, buddy: Windows 3.1 IS A General Protection Fault.
muesli
thank you, think you got my point of view!
best greetings from würzburg, müsli
Gad
thanks for your help. It looked like no one was gonna
respond...
I've tried running dsniff again. Now it does seem to
pick up cleartext passwords going through eth0, but
it only shows them after the connection has ended.
For instance, you telnet in to a machine, then exit.
Only then you get the username/password.
I still haven't been able to work out whether dsniff
works with ppp0. It says:
#>dsniff -i ppp0
link type unknown, defaulting to ethernet.
dsniff: listening on ppp0
Thanks,
Gad
RainbowHat
>#>dsniff -i ppp0
>link type unknown, defaulting to ethernet.
File: pcaputil.c -->
Function: pcap_dloff() -->
switch (pcap_datalink(pd)) {
/*
* This is an unofficial patch so do it with YOUR OWN RISK.
* NO WARRANTY. Appended by RainbowHat.
*/
case DLT_PPP:
offset = 4; // 4 bytes offset for Linux PPP
break;
--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7
Gad
> < Gad
>
>
>>#>dsniff -i ppp0
>>link type unknown, defaulting to ethernet.
>
>
> File: pcaputil.c -->
> Function: pcap_dloff() -->
>
> switch (pcap_datalink(pd)) {
>
> /*
> * This is an unofficial patch so do it with YOUR OWN RISK.
> * NO WARRANTY. Appended by RainbowHat.
> */
>
> case DLT_PPP:
> offset = 4; // 4 bytes offset for Linux PPP
> break;
>
I'll give it a shot!
Gad