mailing list archives
Re: learning sniffer skills
From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Fri, 10 Dec 2004 22:14:39 -0800 (PST)
i've been thinking about doing some sniffing too
after a day of googling and playing with various apps ...
i like pfilt.pl ...
to test the sniffer(s) i played with ...
- watch for the sniffed data to show up on my snifferbox
- ssh traffic showed up as jibberish ...( good )
- text trafffic showed up as text in my xterm () snifferbox
- i could see all the emails
- i could see all the http traffic without the images
( send yourself emails and watch your sniffer show the email
( download a webapge and watch your sniffer show the same data
- i could sniff the traffic on eth0 and/or wireless devices
kismet + ethereal is nice, but its not real time and its not
presented in "normal mode" a regular user would see the data
and its a specific tool only for wireless traffic
pfilt.pl shows you the data as if you were the "real/legitimate recipient"
In addition, you can try this:
tcpdump -i "interface name" -s 1518 -lenvv host "whatever host" and port 110 -w /tmp/"file name"
Im trying read with tcpdump or snort the mail messages downloaded by
pop3. But can see the message content. How can "assembly" the
message readed with the sniffer?
I think you are trying to do something like this:
tcpdump -s 2000 port 110 -w /tmp/data-to-port-110
i'd sniff port 25 instead ... and you get ALL incoming emails to the email server
and it will NOT matter if they use pop3 or pop3s since
we're sniffing the incoming emails, not the outgoing emails that
was sitting in the pop server
-- how do you know if you're network is being sniffed ???
- not trivial(?) to figure out...and detect the sniffer