EthernetSnooping
Filed in: Tutorials.EthernetSnooping · Modified on : Mon, 22 Nov 10
This tutorial describes how to set up a computer to tap an ethernet connection, allowing you to capture all Ethernet frames flowing through it. This is useful for diagnosing network faults, troubleshooting embedded or otherwise locked-down devices, and learning how stuff works in general.
Requirements
- Computer with two Ethernet ports
- 1 additional Ethernet cable
Situation
- Sniffer
- Computer hosting the sniffing software
- Target
- Computer whose network traffic we want to tap
- Wall port
- The thing the target's Ethernet cable is plugged into
We assume that the current set up has the target plugged into the wall port.
Procedure
On the sniffer...
- Install or boot into a Linux environment. (The remaining instructions are mainly for Linux Mint XFCE, but are fairly generic.)
- Install the
brctltool (which is in the packagebridge-utilson Mint/Ubuntu), as well aswireshark(package:wireshark). You might need to ensure that bridging is enabled in your kernel, but AFAICT, it's usually enabled by default. - Disable any automatic networking programs; we need to do it manually:
killall nm-applet
- Insert the sniffer inline to the target, like this:
wall port == sniffer == target - Create the bridge interface and add your interfaces:
#you need to be root to do everything
sudo -s
brctl addbr br0
#adjust eth0 and eth2 to your ethernet adaptors' names
brctl addif br0 eth0
brctl addif br0 eth2
brctl setfd br0 0 #not essential, but makes things faster - Start the bridge:
ifconfig br0 up
- Get an IP (this is not really necessary, but allows us to access the network on the local machine):
dhclient br0
- Start Wireshark:
wireshark -i br0 -k
That's it. Watch the packets flow.
Alternative Methods
Hub
upstream -- hub +-- target
+-- sniffer
In this configuration, the target and sniffer are both connected to an Ethernet hub. In fact, this case is trivial: all packets from/to the target will also be sent to the sniffer! The sniffer is expected to drop packets not destined to it, but that doesn't mean we can't look at them first ;)
Switch
upstream -- switch +-- target
+-- sniffer
Say you don't have two ethernet ports on your sniffer, but are plugged into the same switch as the target. A technique called "ARP poisoning" will allow you to trick the switch into thinking that the sniffer is the target, thus forwarding all packets to it.
Theory time! A hub forwards any Ethernet frames it receives on an interface to every other one of its interfaces; it is only concerned with Layer 2.
Switches on the other hand are slightly more intelligent in that they will (or should) only forward traffic to its intended destination. A switch accomplishes this by way of a ARP table, which maps IP addresses to MAC addresses. When an IP packet arrives on one of its interfaces, the switch forwards it to the MAC address associated with that IP in its ARP table.
Now, provided all hosts on the switch are truth-tellers, coming up with the ARP table works pretty well. The switch listens to traffic on its interfaces for a while, learning which MACs are sending which IPs.
However, there's also an ARP protocol (on Layer 3) that can be used to broadcast packets like "Who has IP X? Tell MAC address Y." (query) and "Hey MAC Y, MAC Z has address X!" (response). The protocol also has something called a "Gratuitous ARP", which sounds like the end part of the ARP response: "MAC Z has address X!", but not in response to any particular query. The switch will pick up on this and add it to its ARP table, despite the fact that it may conflict with what it's learned previously (better safe than sorry).
A program called ettercap can be used to send these packets. Then it's simply a matter of listening with Wireshark and filtering the interesting stuff.