Recommended Posts

Hi,

 

Im using an IP based messaging app called netcat on linux terminal. I can send messages directly to a computers IP and receive back in a way its not encrypted, as shown below:

packet_149.jpg

 

but when Im sniffing the packets from a third computer ( on my own WLAN ) im getting them in LLC protocol instead of TCP and I cant see the data (I think its encrypted or scrambled ) as shown below:

all_packets.jpg

 

withoutarp.jpg

 

Any idea whats the problem? or how can I extract the data? I tried ASCII, UNICODE and Hex translation to string nothing worked.

 

Here is the Hex pcap file for wireshark on GoogleDrive, I hope someone could help me with this issue.
https://drive.google.com/open?id=0B4dE5ujOQI6RdENRclc0TDhlNzA

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

 

 

  On 19/12/2016 at 11:51, BudMan said:

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

Expand  

Thanks for the reply man, I have just learned a lot.
Im using netcat because its the only method I've tried and was able see the information directly,if you know any better way please share with me.
 

I didnt think about the ports problem and you are right, is there any way to sniff from a specific port on the target machine? so I could actually see the information (assuming I know the port already), maybe using wireshark or other tool?

You can sniff on either the sender or the receiver machine directly with tcpdump for example in linux..  Or wireshark sure, if you wanting to sniff this traffic on a 3rd machine on a switch.  Then as I stated you would have to setup a span/mirror/monitor port..

 

spanport.png

 

https://en.wikipedia.org/wiki/Port_mirroring

 

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

  On 20/12/2016 at 11:25, BudMan said:

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

Expand  

Actually I'm using my own cellphone to create WLAN AP, and using it as a router/switch. im executing arpspoof on one of the computers that are talking with netcat, the arpspoof is working but I see the packets in LLC instead of TCP.

and yes im just trying to play with sniffing and learn the basics.

 

I belive that even if ill use a different type of "messaging" method , the problem with the ports will remain the same. Can the port mirroring be executed from another user in the network or only the host can perform port mirroring on his own machine? any tools avaible to do so?

So your trying to sniff on wifi??  What are you sniffing with? Your only seeing LLC packets - that has NOTHING to do with your netcat traffic.

 

How exactly are you using arpspoof?  Are you wanting to see the traffic sent to his mac as well.. So now you have duplicate macs?

 

What are you using to sniff with?  sniffing wifi is a bit different then sniffing on ethernet network.. I assume your using wireshark??  If so here is info on sniffing on wifi

 

https://wiki.wireshark.org/CaptureSetup/WLAN

 

To be honest if your just learning about sniffing - I would do it via a wired network first, then you can move on to wifi sniffing..  Its a completely different ball game..  And depending on your wifi card, you may or may not be able to use promiscuous mode, etc.  As to setting up a span port, that is done on the switch, not a machine..

 

Why are you doing arpspoof on one of the machines that is actually involved in the conversation using netcat??  Makes zero sense to do that..  Arpspoof is normally used as a way to poison a clients arp cache to make it look like your the gateway IP of the network, so all traffic leaving the network would be sent to you, which you would then forward on.  But since he sending you all his traffic you can capture his traffic... This is not a I want to learn about sniffing first step ;)

 

So if you want to learn about sniffing, packet capture, network analyzers or protocol analyzers.  Wireshark, tcpdump, Capsa, Microsoft network monitor, etc. etc. What I would suggest is you get a smart switch (approx $40 could you basic smart gig smart switch), so you have the ability to do port spanning, etc.  And start there.. I would suggest you maybe grab http://www.wiresharkbook.com/wireshark101.html

 

I would really read up on tcp/ip in general - say something like https://www.amazon.com/TCP-Guide-Comprehensive-Illustrated-Protocols/dp/159327047X

 

Once you understand how tcp/ip works at a protocol level, then you can move on to how it works over wifi ;)  and or then you can start playing with stuff like arpspoof, or the whole dsniff suite.. And stuff like ettercap..  Which is next level stuff after you have gotten the basics down ;)

This topic is now closed to further replies.
  • Posts

    • Seem like they are seeking for a one size fits all. You have power users and "what's a computer" generation growing up on phones, tablets, and Chromebooks.
    • Guessing it was profitable enough inserting prompted apps vs the hate it generated.
    • Also good for Debugging or troubleshooting your game.. i dont get it why nvidia app or amd does not show this data.. if steam can do it..
    • Microsoft reportedly planning to lay off thousands of employees, mostly in sales by Usama Jawad Back in May 2025, Microsoft decided to lay off 3% of its workforce, which amounted to roughly 6,000 employees. It claimed that this decision allowed it to implement better organizational changes in a "dynamic marketplace". Now, a new report claims that the Redmond tech firm is planning to lay off thousands more next month. Citing unnamed sources, Bloomberg reports that as the company continues investing heavily in its AI ventures, it is about to announce layoffs of thousands of workers as early as next month. This reduction in workforce will primarily affect sales teams, but they won't be the only ones affected. That said, the sources did mention that the timing for this announcement may change. This move, if true, won't be entirely surprising. In April 2025, Microsoft announced that it will be relying more on third-party firms to sell its software to small- and medium-sized customers. It's currently unclear how many employees will be impacted by this change, but even if the layoff percentage is in the single digits, it would still be significant as it would be impacting the professional careers of thousands. The May 2025 layoffs primarily impacted engineering and product teams. The other major round of layoffs prior to this was the decision to eliminate 10,000 jobs back in January 2023. Those represented 5% of the total workforce at that time, with numerous teams, including the one leading Mixed Reality (MR) efforts, being heavily impacted. It is interesting to note that if the timing of the announcement for layoffs is accurate, it would be soon after Microsoft closes its fiscal year at the end of June 2025. Although we'll get financial reports for the latest quarter soon after too, one has to wonder what the human cost of profit is, as Microsoft continues to report billions of dollars in revenue every quarter. Source: Bloomberg (paywall)
  • Recent Achievements

    • First Post
      Fuzz_c earned a badge
      First Post
    • First Post
      TIGOSS earned a badge
      First Post
    • Week One Done
      slackerzz earned a badge
      Week One Done
    • Week One Done
      vivetool earned a badge
      Week One Done
    • Reacting Well
      pnajbar earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      704
    2. 2
      ATLien_0
      285
    3. 3
      Michael Scrip
      214
    4. 4
      +FloatingFatMan
      194
    5. 5
      Steven P.
      131
  • Tell a friend

    Love Neowin? Tell a friend!