Infinite Loop

An Intro about Packet Sniffing

Ever wondered about what is happening on your network? Ever wondered about what is a certain piece of software is sending over you NIC? Ever wondered about some closed source code application communication protocol? Do you want to make sure if that application is communicating your data over internet securely or not? Well, you can stop wondering now and start packet sniffing your network traffic. Packet sniffing is what we call the act of intercepting packets on the network and extracting its content so we can analyze it as we are going to do now in this little demonstration, in the following lines I’m going to show you how to intercept packets and extract its data and my tool of choice is going to be windump the windows clone of tcpdump. Windump is a tool that you can run from command line but before running it you have to make sure that you have the latest WinPcap (Windows packet capture library) you can download the library from here and the windump from here

Now after we have got what we need let’s start playing ;) 1^st of all you to need to know the available adapters names on your machine you can do this by using the D parameter like this

C:\Documents and Settings\Fady Anwar\My Documents>windump –D

1.\Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)

2.\Device\NPF_{77CA943D-EF42-4CAD-BB99-1D1BAE8E9B4B} (Intel(R) PRO/100 VE Network Connection (Microsoft's Packet Scheduler) )

As we can see I’ve two available adapters on my machine

So now after we have the available adapters names we can start sniffing the packets by choosing one of them by its number like this

C:\Documents and Settings\Fady Anwar\My Documents>windump -i 2

windump: listening on \Device\NPF_{77CA943D-EF42-4CAD-BB99-1D1BAE8E9B4B}

02:26:28.388643 IP IBM.7666 > nf-in-f147.google.com.80: P 2925410720:2925411123(

403) ack 469025486 win 65535

02:26:28.543476 IP nf-in-f147.google.com.80 > IBM.7666: . ack 403 win 6432

02:26:28.586341 IP nf-in-f147.google.com.80 > IBM.7666: P 1431:2533(1102) ack 40

3 win 6432

02:26:28.586383 IP IBM.7666 > nf-in-f147.google.com.80: . ack 1 win 65535

02:26:28.637503 IP nf-in-f147.google.com.80 > IBM.7666: . 1:1431(1430) ack 403 w

in 6432

win 7518

02:26:29.379247 IP IBM.7668 > nf-in-f147.google.com.80: . ack 255 win 65281

02:26:34.762895 IP IBM.6668 > by1msg2145218.phx.gbl.1863: P 488552315:488552434(

119) ack 3415622566 win 64202

02:26:35.057017 IP by1msg2145218.phx.gbl.1863 > IBM.6668: P 1:14(13) ack 119 win

 65297

02:26:35.197705 IP IBM.6668 > by1msg2145218.phx.gbl.1863: . ack 14 win 64189

02:26:35.373364 IP by1msg2145218.phx.gbl.1863 > IBM.6668: P 14:135(121) ack 119

win 65297

02:26:35.498662 IP IBM.6668 > by1msg2145218.phx.gbl.1863: . ack 135 win 65535

I’ve chosen my Ethernet network adapter because it’s the one I’m using now while writing this article and as we can see we can see dome packets going and coming between my machine (IBM) and google and also some packets are exchanged between my machine and msn servers, we can see the ports and we can see the hosts names and also the type stamp but wait where is the data? Well let’s try the A parameter (take care parameters are case sensitive)

C:\Documents and Settings\Fady Anwar\My Documents>windump -i 2 -A

windump: listening on \Device\NPF_{77CA943D-EF42-4CAD-BB99-1D1BAE8E9B4B}

02:32:37.648479 IP IBM.6669 > cs42.msg.dcn.yahoo.com.80: P 4187868820:4187868854

(34) ack 366682989 win 65109

.P......#mP..U3H..YMSG.............S..0..fady911x...

02:32:37.963986 IP cs42.msg.dcn.yahoo.com.80 > IBM.6669: . ack 34 win 65535

..#m....P...7..........

02:32:38.630195 IP IBM.2922 > 192.168.1.254.53:  43858+ PTR? 169.193.155.216.in-

addr.arpa. (46)

E..J...........d.....j.5.6...R...........169.193.155.216.in-addr.arpa.....

02:32:38.762498 IP 192.168.1.254.53 > IBM.2922:  43858 1/0/0 (82)

E..n..@............d.5.j.Z...R...........169.193.155.216.in-addr.arpa...........

..

02:32:39.792749 IP IBM.137 > 192.168.1.254.137: UDP, length 50

E..N...........d.........:.............. CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..

02:32:41.293053 IP IBM.137 > 192.168.1.254.137: UDP, length 50

E..N...........d.........:.............. CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..

02:32:42.793842 IP IBM.137 > 192.168.1.254.137: UDP, length 50

E..N...........d.........:.............. CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..

02:32:42.807436 IP IBM.7644 > ik-in-f83.google.com.80: . 843874477:843875937(146

0) ack 3178211243 win 64691

E.....@........dB.[S...P2L...o..P.......POST /mail/channel/bind?at=89efb89bc308e

74

02:32:42.807468 IP IBM.7644 > ik-in-f83.google.com.80: P 1460:1647(187) ack 1 wi

n 64691

E.....@........dB.[S...P2L.a.o..P...A...1:S=Cz4teXOfD6Vd2qZB; S=gmail=JwxKo2gP3d

Well, here is more data but this time with content and as we can see in the end of it my machine was sending a post request to google probably by some ajax script also there was some data exchanged between my yahoo messenger and the yahoo server but wait this data is so much what If I want to scope down on only http requests? Well, this can be done using expressions here is how

C:\Documents and Settings\Fady Anwar\My Documents>windump -i 2 -A port 80

windump: listening on \Device\NPF_{77CA943D-EF42-4CAD-BB99-1D1BAE8E9B4B}

02:40:05.481417 IP IBM.7644 > ik-in-f83.google.com.80: . 843986401:843987861(146

0) ack 3178216323 win 64693

E....d@....^...dB.[S...P2N5..o..P.......GET /mail/?ik=d820ffc07b&view=tl&search=

in

02:40:05.481448 IP IBM.7644 > ik-in-f83.google.com.80: P 1460:1574(114) ack 1 wi

n 64693

E....e@........dB.[S...P2N;..o..P...S...MD3X1ShCi0g:gmproxy=vK8LcsK7DhY:gmproxy_

yj

02:40:05.671791 IP ik-in-f83.google.com.80 > IBM.7644: . ack 1574 win 6616

E..(M.......B.[S...d.P...o..2N<.P...0/........

02:40:05.675251 IP ik-in-f83.google.com.80 > IBM.7644: . ack 1574 win 7300

E..(....2..`B.[S...d.P...o..2N<.P...-.........

02:40:05.678431 IP ik-in-f83.google.com.80 > IBM.7644: . ack 1574 win 7300

E..(.   ..2.._B.[S...d.P...o..2N<.P...-.........

02:40:05.721961 IP ik-in-f83.google.com.80 > IBM.7644: P 1:363(362) ack 1574 win

 7300

E....

..2...B.[S...d.P...o..2N<.P...s`..HTTP/1.1 200 OK

Cache-control: no-cache,

02:40:05.882612 IP IBM.7644 > ik-in-f83.google.com.80: . ack 363 win 64331

E..(.j@........dB.[S...P2N<..o..P..KMQ..

Here we can see only http requests through port 80 and as we can see some GET and POST requests done by an ajax script in my current open gmail account page in the browser. Sounds cool? What if I wanted to scope it more down to a specific host say google? Here is how

C:\Documents and Settings\Fady Anwar\My Documents>windump -i 2 -A port 80 and ho

st ik-in-f83.google.com

windump: listening on \Device\NPF_{77CA943D-EF42-4CAD-BB99-1D1BAE8E9B4B}

02:46:44.135367 IP IBM.7644 > ik-in-f83.google.com.80: . 844094006:844095466(146

0) ack 3178220690 win 65174

E....6@........dB.[S...P2O.6.o..P.......POST /mail/channel/bind?at=89efb89bc308e

74

02:46:44.135398 IP IBM.7644 > ik-in-f83.google.com.80: P 1460:1646(186) ack 1 wi

n 65174

E....7@........dB.[S...P2O...o..P...?...:S=Cz4teXOfD6Vd2qZB; S=gmail=JwxKo2gP3de

kv

02:46:44.135491 IP IBM.7644 > ik-in-f83.google.com.80: P 1646:1699(53) ack 1 win

 65174

E..].8@....     ...dB.[S...P2O...o..P...<...count=1&req0_type=i&req0_time=920053

63&req

02:46:44.325534 IP ik-in-f83.google.com.80 > IBM.7644: . ack 1646 win 6544

E..(......j.B.[S...d.P...o..2O..P...z.........

Now all the packets sniffed are only being exchanged with only one host and we can see google POST and GET requests

I hope you enjoyed this walkthrough for more information in detail about the use of windump you can read the full manual

Thanks for reading