Recommended Posts

Hi,

 

Im using an IP based messaging app called netcat on linux terminal. I can send messages directly to a computers IP and receive back in a way its not encrypted, as shown below:

packet_149.jpg

 

but when Im sniffing the packets from a third computer ( on my own WLAN ) im getting them in LLC protocol instead of TCP and I cant see the data (I think its encrypted or scrambled ) as shown below:

all_packets.jpg

 

withoutarp.jpg

 

Any idea whats the problem? or how can I extract the data? I tried ASCII, UNICODE and Hex translation to string nothing worked.

 

Here is the Hex pcap file for wireshark on GoogleDrive, I hope someone could help me with this issue.
https://drive.google.com/open?id=0B4dE5ujOQI6RdENRclc0TDhlNzA

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

 

 

  On 19/12/2016 at 11:51, BudMan said:

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

Expand  

Thanks for the reply man, I have just learned a lot.
Im using netcat because its the only method I've tried and was able see the information directly,if you know any better way please share with me.
 

I didnt think about the ports problem and you are right, is there any way to sniff from a specific port on the target machine? so I could actually see the information (assuming I know the port already), maybe using wireshark or other tool?

You can sniff on either the sender or the receiver machine directly with tcpdump for example in linux..  Or wireshark sure, if you wanting to sniff this traffic on a 3rd machine on a switch.  Then as I stated you would have to setup a span/mirror/monitor port..

 

spanport.png

 

https://en.wikipedia.org/wiki/Port_mirroring

 

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

  On 20/12/2016 at 11:25, BudMan said:

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

Expand  

Actually I'm using my own cellphone to create WLAN AP, and using it as a router/switch. im executing arpspoof on one of the computers that are talking with netcat, the arpspoof is working but I see the packets in LLC instead of TCP.

and yes im just trying to play with sniffing and learn the basics.

 

I belive that even if ill use a different type of "messaging" method , the problem with the ports will remain the same. Can the port mirroring be executed from another user in the network or only the host can perform port mirroring on his own machine? any tools avaible to do so?

So your trying to sniff on wifi??  What are you sniffing with? Your only seeing LLC packets - that has NOTHING to do with your netcat traffic.

 

How exactly are you using arpspoof?  Are you wanting to see the traffic sent to his mac as well.. So now you have duplicate macs?

 

What are you using to sniff with?  sniffing wifi is a bit different then sniffing on ethernet network.. I assume your using wireshark??  If so here is info on sniffing on wifi

 

https://wiki.wireshark.org/CaptureSetup/WLAN

 

To be honest if your just learning about sniffing - I would do it via a wired network first, then you can move on to wifi sniffing..  Its a completely different ball game..  And depending on your wifi card, you may or may not be able to use promiscuous mode, etc.  As to setting up a span port, that is done on the switch, not a machine..

 

Why are you doing arpspoof on one of the machines that is actually involved in the conversation using netcat??  Makes zero sense to do that..  Arpspoof is normally used as a way to poison a clients arp cache to make it look like your the gateway IP of the network, so all traffic leaving the network would be sent to you, which you would then forward on.  But since he sending you all his traffic you can capture his traffic... This is not a I want to learn about sniffing first step ;)

 

So if you want to learn about sniffing, packet capture, network analyzers or protocol analyzers.  Wireshark, tcpdump, Capsa, Microsoft network monitor, etc. etc. What I would suggest is you get a smart switch (approx $40 could you basic smart gig smart switch), so you have the ability to do port spanning, etc.  And start there.. I would suggest you maybe grab http://www.wiresharkbook.com/wireshark101.html

 

I would really read up on tcp/ip in general - say something like https://www.amazon.com/TCP-Guide-Comprehensive-Illustrated-Protocols/dp/159327047X

 

Once you understand how tcp/ip works at a protocol level, then you can move on to how it works over wifi ;)  and or then you can start playing with stuff like arpspoof, or the whole dsniff suite.. And stuff like ettercap..  Which is next level stuff after you have gotten the basics down ;)

This topic is now closed to further replies.
  • Posts

    • AMD thinks Ryzen Threadripper 9000 wipes the floor with Intel by Sayan Sen At Computex 2025 earlier this year, AMD revealed its new Zen 5-based Ryzen Threadripper 9000 series with up to 96 cores, comprising the PRO 9000WX series and 9000 series chips. At the time though the company did not share performance numbers but given the specs, we had a fairly good idea of their capability. For those who may not be familiar with Ryzen Threadripper, it is AMD's desktop CPU lineup meant for workstations and HEDT (high-end desktop) builds and is placed between the mainstream Ryzen and the server EPYC lineups. With the launch expected to happen next month, performance numbers for the Ryzen Threadripper 9000 are now out. Before diving into the performance details, AMD has also shared a recap of some of the platform details and the compatible sTR5 socket. These new premium chips support up to 8 channels of DDR5-6400 memory and up to 128 PCIe 5.0 lanes for I/O. AMD also promises over 7000 MT/s of DDR5 support with EXPO. The specs of the Ryzen Threadripper 9000 lineup are given below: Processor SKU Cores Threads Base Clock (GHz) Boost Clock (GHz) L3 Cache (MB) Memory Channels PCIe Lanes TDP (W) AMD Ryzen Threadripper PRO 9995WX 96 192 2.5 5.45 384 8‑channel DDR5‑6400 ECC 128 PCIe Gen5 350 AMD Ryzen Threadripper PRO 9985WX 64 128 3.2 5.4 384 8‑channel DDR5‑6400 ECC 128 PCIe Gen5 350 AMD Ryzen Threadripper PRO 9975WX 32 64 3.2 5.4 384 8‑channel DDR5‑6400 ECC 128 PCIe Gen5 350 AMD Ryzen Threadripper PRO 9965WX 24 48 3.2 5.4 384 8‑channel DDR5‑6400 ECC 128 PCIe Gen5 350 AMD Ryzen Threadripper PRO 9955WX 16 32 3.2 5.4 384 8‑channel DDR5‑6400 ECC 128 PCIe Gen5 350 AMD Ryzen Threadripper PRO 9945WX 12 24 3.2 5.4 384 8‑channel DDR5‑6400 ECC 128 PCIe Gen5 350 AMD Ryzen Threadripper 9980X 64 128 3.2 5.4 256 4‑channel DDR5‑6400 92 PCIe Gen5 350 AMD Ryzen Threadripper 9970X 32 64 3.2 5.4 256 4‑channel DDR5‑6400 92 PCIe Gen5 350 AMD Ryzen Threadripper 9960X 24 48 3.2 5.4 256 4‑channel DDR5‑6400 92 PCIe Gen5 350 AMD has compared the 96-core 9995WX against the previous-gen 7995WX (images below), also with the same core configuration, and the 64-core 9980X, against Intel's 60-core Xeon W9-3595X. While Xeon has generally been associated with Server CPUs, the Xeon W chips are designed to be used in workstations. AMD follows a similar naming, too, wherein the W in the WX is meant to indicate workstation, and the non-W Threadripper is for HEDT. AMD claims up to 26% faster throughput on the newer 96-core 9995WX compared to the 7995WX. Meanwhile, against the Intel Xeon w9-3595X, AMD expects utter dominance from its 9980X with up to 108% faster performance. Even the lowest gain, says the company, is 22% over the Intel chip, and that is still very significant. AMD also compared the AI performance of the 9995WX vs the Xeon w9-3595X. The company promises up to 49% faster LLM processing, but keep in mind that the figures given include a GPU as well. Besides AI, performance related to other creative and professional workloads was also shared. In Keyshot rendering, for example, AMD claims up to 119% gains over the Xeon SKU. And in Chaos V-Ray, the 9995WX is said to offer nearly 2.5 times the performance. AMD has not released pricing information for the Threadripper 9000 series.
    • Funk Microsoft - I would switch from PS5 as you have better deals but the Xbox interface (I tried One S and later on, even one X i hate the interface and considering all MS changes in Windows interface over the years.. I hope they have a good one coming ps5 has also weird interface I had to get used too. But considering the library of ps4 games I wanted to be playable for me… I got used and adapted
    • I loved Sonic CD so much. I think I must have almost worn out that disc!
    • For what it's worth, if the game was scheduled for a September release, then most if not all of art assets, etc. were complete. That's the really expensive part of any AAA game. So going back into the code, game play, combat loop, etc. should be much easier and faster than re-imagining the look of the game entirely. That took years and zillions to create.
  • Recent Achievements

    • First Post
      Ian_ earned a badge
      First Post
    • Explorer
      JaviAl went up a rank
      Explorer
    • Reacting Well
      Cole Multipass earned a badge
      Reacting Well
    • Reacting Well
      JLP earned a badge
      Reacting Well
    • Week One Done
      Rhydderch earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      653
    2. 2
      ATLien_0
      267
    3. 3
      Michael Scrip
      218
    4. 4
      +FloatingFatMan
      188
    5. 5
      Steven P.
      146
  • Tell a friend

    Love Neowin? Tell a friend!