Re: Dsniff not sniffing properly

[Hari Sekhon <hpsekhon () googlemail com>]

no no no

I have run dsniff on a couple of laptops and from those same laptops 
conducted an ftp session to see the auth pair grabbing work. Ie from the 
same machine as dsniff is running I open a session to a remote ftp server.

Now I try it on a 3rd machine and do exactly the same again, start 
dsniff and then in a separate terminal on same the dsniff machine I open 
an ftp session to see if it will grab the auth pair as it normally does.

But dsniff stays silent, even after the session is closed, the auth pair 
never appear in dsniff.

There is no remote sniffing, I know how to mitm but I'm not testing 
mitm, I'm just testing if dsniff can sniff on the local machine, not 
another machine.

I've used dsniff remotely with mitm but this time it was not working so 
I tested it locally and found that dsniff was just not sniffing stuff 
even on the local interface.

There is only 1 NIC, eth0, so it can't even be listening on the wrong 
interface.

-h

Hari Sekhon



Aaron Howell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hari Sekhon wrote:
>   
> > Hi,
> >   I have dsniff on 2 linux laptops, one Debian, one Gentoo and it works
> > fine, if I run it on the local machine and then from the same machine
> > log in to a remote ftp server on my local network as a test it sniffs
> > the authentication pair and displays it.
> >
> > However, I have it on another workstation (Gentoo Linux) and if I run
> > dsniff as root, it starts sniffing on eth0, my only network interface
> > and the one I am connected to my lan through. I then log in to the same
> > ftp server again and it remains blank.
> >
> > # dsniff
> > dsniff: listening on eth0
> > <lots of nothing here>
> >
> > Even after I log out of the ftp server there is still nothing (upon
> > logout is when it usually displays the creds to me)
> >
> > So the question is, what is wrong with dsniff on my workstation?
> >     
>
>  If I am reading this correctly, you are running dsniff on Host A, then
> logging on to the FTP server from the same machine, which works as
> expected. You then run dsniff on Host B, and try logging into the FTP
> server from Host A, and get nothing. Everything from this point on
> follows those assumptions, so if they are wrong, disregard.
>
>  A: Generally speaking sniffers do not work in a switched ethernet
> environment.[1] and B: This is not always true.[2]
>
>  If you are sniffing on the local host, you will see everything that
> passes over the ethernet interface. If you are sniffing the NETWORK (ie.
> looking for traffic that isn't destined for your host via broadcast,
> multicast, or unicast), you have to be in promiscuous mode. This seems
> to be the most likely problem.
>
>   
> > lspci says I have the following network card:
> >
> > 04:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5754
> > Gigabit Ethernet PCI Express (rev 02)
> >
> > Is the network card somehow crippled to prevent this? (In which case
> > there should be mass boycott of this card)
> >
> > It doesn't even need to be in promiscuous mode in order to sniff from
> > the local machine. Why is it not working?
> >     
>
> I find it highly unlikely that your ethernet card would be crippled in
> this manner. See my quick and dirty explanation above for a simple
> reason why dsniff isn't working. For a more in-depth understanding, take
> a look at the footnotes below.
>
> Good Luck,
> Aaron
>
> [1]http://en.wikipedia.org/wiki/Packet_sniffer
>
> [2]http://www.monkey.org/~dugsong/dsniff/faq.html#How%20do%20I%20sniff%20in%20a%20switched%20environment
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
>
> iD8DBQFGIXjr7MF9x9aUuGIRApqDAJ92QDAU9P8R+y5+4nLKL4Dbyh5ncwCcD/r0
> g8jXslt+PuXw4Xl2J60RzG0=
> =7THT
> -----END PGP SIGNATURE-----
>
>