Slashdot Mirror
Unhealthy Sniffing
Simon Doring writes "Stefan Esser did it again. Yesterday he reported 13 remote root vulnerabilities in Ethereal. Time to teach all those sniffing kiddies an unhealthy lesson. The next LAN party will be a lot of fun."
← Back to Stories (view on slashdot.org)
network sniffers are useful for other things as well.
just this spring had to use ethereal on one networking course to follow ethernet packets, which computer was asking what from who, how the router affected the packets and how a hub is different from a switch(all and all quite basic stuff but still it was quite useful for gaining insight to the different protocols in real world like situation)..
how about the windows port?
world was created 5 seconds before this post as it is.
The right way to do passive scanning is with an ethernet cable that has the tx leads removed.
Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.
In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.
(I write network analysis software for a living)
So, yes, they did let them know, and the holes have already been fixed.
"From my cold, dead hands you damn, dirty apes!" - CH
Can't do that with UTP. The link pulse travels over the same wire, so the hub or switch will deactivate the port and you won't see any traffic at all. What you can do is cut the TX pin on the AUI connector when using an external tranceiver, but nobody uses those any more.
In BSD derivatives, you can up an interface without giving it an address, attach to it with bpf and set it in promiscuous mode. You'll see all the traffic on the wire, but none of it will go into the network stack and no outgoing traffic will be generated unless you do it yourself.
(I write network analysis software for a living)
Ok.. UTP 101.. let's use EIA/TIA568B FastEthernet here (toss this out if you're sniffing GigE traffic)...
pin 1 -> white/orange
pin 2 -> orange
pin 3 -> white/green
pin 6 -> green
Following traffic from switch to host, the pins are as follows:
pin 1: RX+ (receives from host)
pin 2: RX-
pin 3: TX+ (transmits to host)
pin 6: TX-
The *proper* way to do this is start with a normal cable. At the host end, cut into the cable jacketing a little ways up from the terminator and cut the white/orange and orange wires, then solder lead 1 to 3 and lead 2 to lead 6 (white/orange to white/green and orange to green). Do this for the side of the cable headed towards the switch and leave pins 1 & 2 "dangling" to the host. The cable is unidirectional and it can only connect between the switch and host *one way*. This is safer than depending on an unaddressed promiscuous port because there is phyically *no way* for data to get to the switch from the host, but the host will see everything on the wire.
You can get a little more freaky and use a small capacitor inline (I can't recall the value at the moment, but it's specific to the speed of the wire) to simply put too much noise to pass traffic but not so much as to drop the connection, but the solution above works just swimmingly well if you're handy doing small task soldering and wire stripping.
(I sniff networks for a living)