how to capture network packets

[Wol]

Right my fellow helpful peoples.

I have my laptop (wifi + wired network) running windows xp. I've got a linux laptop running debian, with wired network, and.... flaky wifi. I have a random ethernet device (wifi or wired), and my router with an inbuilt switch (it is a switch).

I want to capture data going between this random ethernet device and my router. Ethereal doesn't seem to go too well in promiscuous capture mode on the linux machine, so I was going to try running some form of proxy on my laptop, connecting it to the wired socket, and the laptop to the internet over wifi, and then just use ethereal to capture the packets going through on my laptop, but I can't find any nice, simple proxy servers online. I'm sure I've found some before, but at midnight last night, I couldn't seem to find any....

Anyone have any suggestions of ones to try?

I literally just want a output of the data going through on all ports on that interface.

any help?!

ta

 

[thatbloke]

what about tcpdump with all of the verbose options enabled?

 

[Wol]

The switch won't relay packets going between the other device and the router to the linux laptop, so tcpdump won't see anything surely?

 

[Ashya]

I was going to suggest a butterfly-net or some sort of honey-based trap...

 

[Haven]

run tcpdump or wireshark on the laptop (its not clear if this is your random device or not) and bind it to the port that you want to capture packets from.

 

[Wol]

random ethernet device = doesn't run linux

devices:

- My laptop - Windows Xp - has wifi and wired
- my linux laptop - debian - has wired and dubious wifi
- my router - has inbuilt *switch*, not hub
- ethernet device - has wifi or wired, but can't shell into it.

I want to capture traffic between the bottom 2 items, on one of the top 2 items. The switch means that packets dont get sent to the top 2 devices, so my first guess was to daisy chain them somehow.

random ethernet device -------- my laptop -------- router

and run some form of proxy/capture on my laptop to let the packets through, whilst being able to ethereal the buggers, but I dont have a proxy server on there atm, and the ipv4 forwarding that XP can do, doesn't seem to be working.

 

[thatbloke]

you could probably bridge the connection from the random device through one of the other boxes, but I'm still not sure what you mean by "random ethernet device"

 

[Wol]

random ethernet device = computer with networking, but not with an OS.

 

[thatbloke]

does/can said machine use DHCP or do you require a static IP?

You should be able to use Internet Connection Sharing on the windows box to go box->ethernet slot on windows laptop->wireless to the router, if it uses DHCP. If it needs a static IP then the Windows box can be a bit of a bitch to setup correctly for ICS.

IIRC Windows sets up that adapter as the "shared" adapter, and sets the IP of it to 192.168.0.1 - you have no say in that IP, and if something else on your network is already using that IP (like, say, your router) then Windows will helpfully tell you that setting up ICS failed and not give a reason for it. It does setup a DHCP server though, or if you can set a static IP to match the above network then you should be ok.

Wireshark should then be able to look at what's going in/out of the ethernet card on said laptop...

 

[Wol]

Ah yaeh. forgot about the internet connection sharing thing. Although i run on 192.168.1., not 192.168.0. so might have to go kicking my router for a bit to end up on the right IP.

why does windows insist on forcing that IP.... stupid thing!

 

[thatbloke]

Ah yaeh. forgot about the internet connection sharing thing. Although i run on 192.168.1., not 192.168.0. so might have to go kicking my router for a bit to end up on the right IP.

why does windows insist on forcing that IP.... stupid thing!

nonono they HAVE to be on separate networks.

So your router being on 192.168.1 is actually perfect - the Ethernet card will be 192.168.0 and will work fine

 

[Wol]

so which side does it change? I thought it changed the downstream end, so if the laptop is on 192.168.0.1, and on the other end of the cable, the router is on 192.168.1.1, then they're not going to talk to each other that successfully?

 

[thatbloke]

so which side does it change? I thought it changed the downstream end, so if the laptop is on 192.168.0.1, and on the other end of the cable, the router is on 192.168.1.1, then they're not going to talk to each other that successfully?

ICS sorts that out

that's the whole point of it

 

[Wol]

cunning. I shall give it a try

 

[Haven]

In that case you need something with two network ports to act as a bridge and to be set up in bridge mode between the wired port of your Ethernet device and the wired port of your router. There's no point trying to capture wireless if its not associated with the same WAP as they will be encrypted packets.

Once that is done you capture all packets passing through the bridge.

 

[Wol]

When i tried it on wireless, they were both connected to the same WAP, with a known WEP key, but ethereal struggled with it.

I think this internet connection sharing thingy seems to be working. I think the warning message confused me a bit cos i clicked on my wifi adapter to enable ICS, and it said "going to change your lan adapter to 192.168.0.1", and it actually means my other ethernet adapter.

I'm managing to capture stuff atm anwyay.