Re: learning sniffer skills

[Alvin Oga <alvin.sec () Virtual Linux-Consulting com>]

hi ya 

i've been thinking about doing some sniffing too 

after a day of googling and playing with various apps ...

i like pfilt.pl ...

to test the sniffer(s) i played with ...
        snifferbox#  ./run-the-sniffer-app

        - watch for the sniffed data to show up on my snifferbox
                - ssh traffic showed up as jibberish ...( good )
                - text trafffic showed up as text in my xterm@snifferbox

                - i could see all the emails 
                - i could see all the http traffic without the images 

                ( send yourself emails and watch your sniffer show the email
                ( download a webapge and watch your sniffer show the same data

                - i could sniff the traffic on eth0 and/or wireless devices

        kismet + ethereal is nice, but its not real time and its not
        presented in "normal mode" a regular user would see the data
        and its a specific tool only for wireless traffic

        pfilt.pl shows you the data as if you were the "real/legitimate recipient"

> In addition, you can try this:
>
> tcpdump -i "interface name" -s 1518 -lenvv host "whatever host" and port 110 -w /tmp/"file name"
 
..

> > Im trying read with tcpdump or snort the mail messages downloaded by
> > pop3.  But can see the message content.    How can "assembly" the
> > message readed with the sniffer?
>
>       I think you are trying to do something like this:
>
>       tcpdump -s 2000 port 110 -w /tmp/data-to-port-110

i'd sniff port 25 instead ... and you get ALL incoming emails to the email server
        and it will NOT matter if they use pop3 or pop3s since
        we're sniffing the incoming emails, not the outgoing emails that
        was sitting in the pop server

-----------------

-- how do you know if you're network is being sniffed ???
        - not trivial(?) to figure out...and detect the sniffer

c ya
alvin