Problem with reading packets in LLC protocol encryption / encoding

[eyal360]

Hi,

 

Im using an IP based messaging app called netcat on linux terminal. I can send messages directly to a computers IP and receive back in a way its not encrypted, as shown below:

 

but when Im sniffing the packets from a third computer ( on my own WLAN ) im getting them in LLC protocol instead of TCP and I cant see the data (I think its encrypted or scrambled ) as shown below:

 

 

Any idea whats the problem? or how can I extract the data? I tried ASCII, UNICODE and Hex translation to string nothing worked.

 

Here is the Hex pcap file for wireshark on GoogleDrive, I hope someone could help me with this issue.
https://drive.google.com/open?id=0B4dE5ujOQI6RdENRclc0TDhlNzA

[+BudMan MVC]

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

 

 

[eyal360]

  On 19/12/2016 at 11:51, BudMan said:

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

Expand  

Thanks for the reply man, I have just learned a lot.
Im using netcat because its the only method I've tried and was able see the information directly,if you know any better way please share with me.
 

I didnt think about the ports problem and you are right, is there any way to sniff from a specific port on the target machine? so I could actually see the information (assuming I know the port already), maybe using wireshark or other tool?

[+BudMan MVC]

You can sniff on either the sender or the receiver machine directly with tcpdump for example in linux..  Or wireshark sure, if you wanting to sniff this traffic on a 3rd machine on a switch.  Then as I stated you would have to setup a span/mirror/monitor port..

 

 

https://en.wikipedia.org/wiki/Port_mirroring

 

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

[eyal360]

  On 20/12/2016 at 11:25, BudMan said:

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

Expand  

Actually I'm using my own cellphone to create WLAN AP, and using it as a router/switch. im executing arpspoof on one of the computers that are talking with netcat, the arpspoof is working but I see the packets in LLC instead of TCP.

and yes im just trying to play with sniffing and learn the basics.

 

I belive that even if ill use a different type of "messaging" method , the problem with the ports will remain the same. Can the port mirroring be executed from another user in the network or only the host can perform port mirroring on his own machine? any tools avaible to do so?

[+BudMan MVC]

So your trying to sniff on wifi??  What are you sniffing with? Your only seeing LLC packets - that has NOTHING to do with your netcat traffic.

 

How exactly are you using arpspoof?  Are you wanting to see the traffic sent to his mac as well.. So now you have duplicate macs?

 

What are you using to sniff with?  sniffing wifi is a bit different then sniffing on ethernet network.. I assume your using wireshark??  If so here is info on sniffing on wifi

 

https://wiki.wireshark.org/CaptureSetup/WLAN

 

To be honest if your just learning about sniffing - I would do it via a wired network first, then you can move on to wifi sniffing..  Its a completely different ball game..  And depending on your wifi card, you may or may not be able to use promiscuous mode, etc.  As to setting up a span port, that is done on the switch, not a machine..

 

Why are you doing arpspoof on one of the machines that is actually involved in the conversation using netcat??  Makes zero sense to do that..  Arpspoof is normally used as a way to poison a clients arp cache to make it look like your the gateway IP of the network, so all traffic leaving the network would be sent to you, which you would then forward on.  But since he sending you all his traffic you can capture his traffic... This is not a I want to learn about sniffing first step

 

So if you want to learn about sniffing, packet capture, network analyzers or protocol analyzers.  Wireshark, tcpdump, Capsa, Microsoft network monitor, etc. etc. What I would suggest is you get a smart switch (approx $40 could you basic smart gig smart switch), so you have the ability to do port spanning, etc.  And start there.. I would suggest you maybe grab http://www.wiresharkbook.com/wireshark101.html

 

I would really read up on tcp/ip in general - say something like https://www.amazon.com/TCP-Guide-Comprehensive-Illustrated-Protocols/dp/159327047X

 

Once you understand how tcp/ip works at a protocol level, then you can move on to how it works over wifi   and or then you can start playing with stuff like arpspoof, or the whole dsniff suite.. And stuff like ettercap..  Which is next level stuff after you have gotten the basics down