Serial Sniffer Windows

0 views
Skip to first unread message

Dhara Lyford

unread,
Aug 4, 2024, 11:29:09 PM8/4/24
to seleconttran
Toactivate this mode in Windows, we need a card supported by Acrylic Wi-Fi Sniffer. This should not be a problem as the compatible Wi-Fi cards list for our sniffer is very extensive and includes modern 802.11ac cards such as the ALPHA cards.

When Acrylic Wi-Fi Sniffer cannot enable monitor mode on the installed WiFI card using its driver we can use NDIS driver, by installing it in the program control panel.


NDIS is a native Windows mechanism to turn a card into a Wi-Fi sniffer. Unfortunately, Microsoft lack of support for this technology and the lack of support from manufacturers means that it does not always work optimally and it has certain technical limitations, so NDIS is Acrylic plan B for sniffing.


If you are more interested in using a graphical diagnostic tool, to graphically navigate and visualise all the information without losing the power of a WiFi packet viewer, we recommend you to try Acrylic Wi-Fi Analyer.


So far, I found Microsoft Network Monitor which is a nice tool, but for localhost it's useless because on Windows, localhost packets don't pass through the regular network stack, so they're invisible to an ethernet sniffer like MS Network Monitor.


I have had such a issue when I want to monitor traffic on localhost after setting up SelfSSL on it. After searching about other useful tools, I found fidllre somehow suitable for my issueyou should try this Fiddler for Http and Https


How to get this working on Windows 10 x64? I have the same problem as mentioned above in that the CC2540 dongle shows up in device manager with no driver installed and is therefore not showing up in the Packet Sniffer. The dongle is untouched as received from TI, which I understand should mean that its flashed with the packet sniffer firmware by default.


My situation is similar to one described by the guys above, but with some difference: when I first installed SmartRF Studio + Packet Sniffer + SmartRF Flash Programmer, everything worked just fine: I was able to use cc2540 dongle with sniffer, read and write firmware from/to cc2540 chips through SmartRF05EB.


Yesterday I tried to read the firmware from cc2531 chip and found out that now neither Packet Sniffer nor Flash Programmer nor Studio don't see any of the chips! It seems that the main big thing that happened in between is the automatic Win 10 upgrade to ver 1703 (build 15063.413 as it says now; don't remember, which one was before). It's x64.


As everything worked before, I didn't look to Windows' device manager. Now I looked there and under "Other devices" I have CC2540USB Dongle with error 28, driver not installed, like mentioned in above messages. It's pretty surprising to see that, but at least it correlates to the fact that things are broken now.


Further, I don't see any "cebal2_x64.inf under C:\Program Files (x86)\Texas Instruments\SmartRF Tools\drivers\cebal\win_64bit_x64". Under C:\Program Files (x86)\Texas Instruments\SmartRF Tools\drivers\cebal there are only 2 dirs: \not_certified and \win_32bit_x86, no mentioning of 64bit version at all. So, as far as I see, I have latest versions of all tools and neither one has installed 64bit version. Where can I find it?


Someone will hopefully tell us how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports. This can be Windows 10 configuration, or require installing commercial software.


There are other computers here. I will run Cat 5 from the other computers into Ethernet port 1 of the Wireshark laptop, and more Cat 5 from Ethernet port 2 of the Wireshark laptop to the Internet connection.


This will allow me to capture malicious outbound data. If you install Wireshark locally, viruses have enough kernel access that they can prevent Wireshark from "seeing" the outbound network data they send, so you must use an external sniffer. Basically I want to build a device to wiretap myself.


Could you please tell me how to set up the network adapter software to "bridge" Ethernet port 1 to Ethernet port 2 so that data is bidirectionally passed through the 2 Ethernet ports? In addition Wireshark needs to be able to sniff from either of these Ethernet ports.


I tried Bridge Connections but it didn't work. DHCP from the "Ethernet port 2" side (outside the Wireshark laptop) addressed both the Wireshark laptop and the other computer, but network transactions from either computer wouldn't work.


When installing Wireshark, I selected all additional packages such as WinPCap. Once in Wireshark I selected the network interface associated with the other computer. It was named "Ethernet". This started real-time network monitoring.


Once in the data capture view the useful information was the IP and HTTP (application) layers. I could see IP layer transactions to see the destination IP addresses, and HTTP (non-HTTPS) showed me actual HTTP data. Without being able to decrypt encrypted application layer protocols, that may be the most that I can get out of this technique for detecting malware. Destination IP address is very useful, though.


The IP addresses of both physical interfaces, if assigned, are deactivated but remembered, so once you remove the bridge, they come back. On the contrary, whatever network configuration you set for the bridge, it is completely forgotten when you remove the bridge.


Something is telling me that the MAC address of the virtual network card is derived from the first physical one to be clicked, but I am not sure here. "Derived" means "or 01:00:00:00:00:00" (as in "setting the "private" bit).


There is one significant advantage of the suggestion of @Uli - if the malware targets Windows, it is better not to use them for capturing. At least I'd recommend to disable all protocols (IPv4, IPv6, IPX) on the virtual interface before connecting the infected machine.


I am using sniffer v3.1. I have installed the sniffer code on a nRF52840 dongle (PCA100059). When I insert this into the PC with windows 8.1 it appears as "nRF Sniffer for Bluetooth LE " in device manager (under Other devices) but driver is missing and no COM port is created.


Hello PAF,



I am sorry to hear that you are having issues with this.

The following should not be necessary with windows version later than Windows 7, but if you could please give the following a try, and let me know if this resolves your issue:


Hello Karl,



unfortunately I tried that before and it did not work that is why I raised that ticket. The device enumerates with VID_1915 and PID_522A and the driver you are referring to is VID_1915 and PID_521A so Windows does not find the proper driver when pointing to SDK/examples/usb_drivers. Any other sugestions?


Hello again PAF,



Could you also confirm for me that you have followed all the steps of the Sniffer installation guide?

Could you also specify exactly how and what you programmed the nRF52840 Dongle with?



This might seem trivial, but I would like to rule out the installation as a potential error source.



Best regards,

Karl


Thank you for clarifying, PAF.



I have tried this on my end, using Windows 10, and I am unfortunately not seeing this issue.

To rule out the hardware being at fault, do you have access to a non-Windows 8 PC which you could test the sniffer on?

I will discuss this with a colleague that knows more about windows 8's drivers than me on Monday.



Best regards,

Karl


With their ability to capture and analyze data packets in real time, packet sniffers are invaluable tools for network administrators and security professionals. In this article, we will look closer at the best packet sniffers available today, how they work, and what features to look for when choosing the right tool for your network security needs.


A packet sniffer, also known as a network analyzer or protocol analyzer, is a network tool that captures and analyzes network traffic. It intercepts and logs network traffic that passes through a specific network interface, allowing network administrators to diagnose and troubleshoot network problems, detect intrusion attempts, and monitor network activity. Network administrators and security professionals use packet sniffers in network security, performance optimization, and troubleshooting.


Packet sniffers analyze the information packets contain about the source and destination addresses, the protocol used, and the data being transmitted. Protocol analyzers provide detailed information about network activity, including the types of traffic, the sources and destinations of traffic, the protocols being used, and the contents of the data being transmitted.


Packet sniffers can also detect network intrusion attempts by analyzing traffic for signs of suspicious activity or anomalies. For example, a packet sniffer might detect traffic from an unfamiliar IP address or traffic that appears to be attempting to exploit a known vulnerability in a network service.


A packet sniffer works by intercepting network traffic data as it travels between devices on a network. The packet sniffer is placed in a strategic location within the network topology, such as at the network perimeter or within the internal network. Once the packet sniffer has intercepted the data packets, it captures and analyzes the information they contain, including the source and destination addresses, the data payload, and any headers or protocols used.


Packet sniffers can capture network data in two ways: in promiscuous mode or in non-promiscuous mode. In promiscuous mode, the packet sniffer captures all network traffic on the network segment it is attached to, including traffic not intended for its own interface. In non-promiscuous mode, the packet sniffer captures only the traffic intended for its own interface.


Once the data packets have been captured, the packet sniffer analyzes them using various algorithms and protocols to extract meaningful information. This information can include details about the network topology, network performance, and potential security threats. The packet sniffer then presents this information to the network administrator or security professional in a user-friendly format, allowing them to make informed decisions about managing and securing their network.

3a8082e126
Reply all
Reply to author
Forward
0 new messages