Problem with reading packets in LLC protocol encryption / encoding

By eyal360
in Smart Home, Network & Security

 Share

Recommended Posts

Neowinian

eyal360

Posted
Posted

Hi,

 

Im using an IP based messaging app called netcat on linux terminal. I can send messages directly to a computers IP and receive back in a way its not encrypted, as shown below:

packet_149.jpg

 

but when Im sniffing the packets from a third computer ( on my own WLAN ) im getting them in LLC protocol instead of TCP and I cant see the data (I think its encrypted or scrambled ) as shown below:

all_packets.jpg

 

withoutarp.jpg

 

Any idea whats the problem? or how can I extract the data? I tried ASCII, UNICODE and Hex translation to string nothing worked.

 

Here is the Hex pcap file for wireshark on GoogleDrive, I hope someone could help me with this issue.
https://drive.google.com/open?id=0B4dE5ujOQI6RdENRclc0TDhlNzA

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

 

 

Neowinian

eyal360

Posted
  • Author
Posted (edited)
  On 19/12/2016 at 11:51, BudMan said:

Why would you think netcat would be using LLC to communicate.. netcat is a not messaging app, while sure you could use it for that - that is not is primary purpose.  And you sniffing LLC packets is never going to show what you sent in text between machines..

 

What port did you use to do your chatting with???  That 556 in your picture of sniff with actual tcp?

 

You do understanding sniffing on a 3rd computer would not see packets between machines A and machine B on a switch..  The traffic is unicast, not multicast or broadcast.  Why would the switch push the packets out the port that is not the 2 mac's talking to each other..  If you want to monitor traffic between two devices using a switch, you would need to setup a monitor/span port on the switch and sniff on that port..

Expand  

Thanks for the reply man, I have just learned a lot.
Im using netcat because its the only method I've tried and was able see the information directly,if you know any better way please share with me.
 

I didnt think about the ports problem and you are right, is there any way to sniff from a specific port on the target machine? so I could actually see the information (assuming I know the port already), maybe using wireshark or other tool?

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

You can sniff on either the sender or the receiver machine directly with tcpdump for example in linux..  Or wireshark sure, if you wanting to sniff this traffic on a 3rd machine on a switch.  Then as I stated you would have to setup a span/mirror/monitor port..

 

spanport.png

 

https://en.wikipedia.org/wiki/Port_mirroring

 

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

Neowinian

eyal360

Posted
  • Author
Posted
  On 20/12/2016 at 11:25, BudMan said:

What switch do you have?  Is it a smart switch, if its some dumb switch then it would not support the feature you need to be able to sniff traffic between 2 different machines on the switch from a 3rd machine.

 

As to sending other users text from linux shell.. There is wall, there is echo if you know their term number, there is write there is mesg.. What exactly are you wanting to accomplish - are you just trying to play with sniffing?

Expand  

Actually I'm using my own cellphone to create WLAN AP, and using it as a router/switch. im executing arpspoof on one of the computers that are talking with netcat, the arpspoof is working but I see the packets in LLC instead of TCP.

and yes im just trying to play with sniffing and learn the basics.

 

I belive that even if ill use a different type of "messaging" method , the problem with the ports will remain the same. Can the port mirroring be executed from another user in the network or only the host can perform port mirroring on his own machine? any tools avaible to do so?

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So your trying to sniff on wifi??  What are you sniffing with? Your only seeing LLC packets - that has NOTHING to do with your netcat traffic.

 

How exactly are you using arpspoof?  Are you wanting to see the traffic sent to his mac as well.. So now you have duplicate macs?

 

What are you using to sniff with?  sniffing wifi is a bit different then sniffing on ethernet network.. I assume your using wireshark??  If so here is info on sniffing on wifi

 

https://wiki.wireshark.org/CaptureSetup/WLAN

 

To be honest if your just learning about sniffing - I would do it via a wired network first, then you can move on to wifi sniffing..  Its a completely different ball game..  And depending on your wifi card, you may or may not be able to use promiscuous mode, etc.  As to setting up a span port, that is done on the switch, not a machine..

 

Why are you doing arpspoof on one of the machines that is actually involved in the conversation using netcat??  Makes zero sense to do that..  Arpspoof is normally used as a way to poison a clients arp cache to make it look like your the gateway IP of the network, so all traffic leaving the network would be sent to you, which you would then forward on.  But since he sending you all his traffic you can capture his traffic... This is not a I want to learn about sniffing first step ;)

 

So if you want to learn about sniffing, packet capture, network analyzers or protocol analyzers.  Wireshark, tcpdump, Capsa, Microsoft network monitor, etc. etc. What I would suggest is you get a smart switch (approx $40 could you basic smart gig smart switch), so you have the ability to do port spanning, etc.  And start there.. I would suggest you maybe grab http://www.wiresharkbook.com/wireshark101.html

 

I would really read up on tcp/ip in general - say something like https://www.amazon.com/TCP-Guide-Comprehensive-Illustrated-Protocols/dp/159327047X

 

Once you understand how tcp/ip works at a protocol level, then you can move on to how it works over wifi ;)  and or then you can start playing with stuff like arpspoof, or the whole dsniff suite.. And stuff like ettercap..  Which is next level stuff after you have gotten the basics down ;)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • 007 First Light's first trailer shows off an action-packed James Bond game

      By pmrd · Posted

      Ponies will finally have good games to play after replaying Last of Us for the 100th time. Oh and I lied, Silent Hill f looks pretty great too, but we already knew about that.
    • China blocks Apple-Alibaba AI venture in retaliation for the US trade war

      By Hamid Ganji · Posted

      China blocks Apple-Alibaba AI venture in retaliation for the US trade war by Hamid Ganji iPhones sold in China, Apple's second biggest market, still lack AI features. While Apple tried to solve the issue by forming an AI venture with China's e-commerce giant Alibaba, the move has faced setbacks from China's regulator, presumably to get back at the US trade war under the Trump administration. According to a new report by Financial Times, citing people familiar with the matter, Apple and Alibaba have been working on their AI venture over the past few months, hoping to bring some AI features to iPhones sold in China. However, the Cyberspace Administration of China hasn't approved the collaboration. Every new iPhone sold worldwide has built-in ChatGPT as a result of the Apple and OpenAI partnership. Since OpenAI has no official presence in China, Apple must partner with local tech companies like Alibaba to offer AI capabilities on iPhones sold in the country. The move could help Apple navigate China's regulatory restrictions, but it's now stalled due to the US-China trade war. The Cyberspace Administration of China doesn't publicly confirm whether halting the Apple-Alibaba AI venture is a response to the US trade war. Still, sources claim this is China's response to the recent tariff clash with the US. China also has a pretty solid record of retaliating against the US reciprocal tariffs. However, the Apple and Alibaba AI partnership also has some opponents in the US. Lawmakers and government officials in Washington have raised concerns about the AI deal. They fear that this collaboration could significantly bolster China's AI capabilities.
    • Raspberry Pi Imager 1.9.4 released bringing performance improvements, bug fixes and more

      By David Uzondu · Posted

      Raspberry Pi Imager 1.9.4 released bringing performance improvements, bug fixes and more by David Uzondu Raspberry Pi Imager 1.9.4 is now out, marking the first official release in its 1.9.x series. This application, for anyone new to it, is a tool from the Raspberry Pi Foundation. It first came out in March 2020. Its main job is to make getting an operating system onto a microSD card or USB drive for any Raspberry Pi computer super simple, even if you hate the command line. It handles downloading selected OS images and writing them correctly, cutting out several manual steps that used to trip people up, like finding the right image version or using complicated disk utility tools. This version brings solid user interface improvements for a smoother experience, involving internal tweaks that contribute to a more polished feel. Much work went into global accessibility, adding new Korean and Georgian translations. Updates also cover Chinese, German, Spanish, Italian, and many others. Naturally, a good number of bugs got squashed, including a fix for tricky long filename issues on Windows and an issue with the Escape key in the options popup. Changes specific to operating systems are also clear. Windows users get an installer using Inno Setup. Its program files, installer, and uninstaller are now signed for better Windows security. For macOS, .app file naming in .dmg packages is fixed, and building the software is more reliable. Linux users can now hide system drives from the destination list, a great way to prevent accidentally wiping your main computer drives. The Linux AppImage also disables Wayland support by default. The full list of changes is outlined below: Fixed minor errors in Simplified Chinese translation Updated translations for German, Catalan, Spanish, Slovak, Portuguese, Hebrew, Traditional Chinese, Italian, Korean, and Georgian Explicitly added --tree to lsblk to hide partitions from the top-level output CMake now displays the version as v1.9.1 Added support for quiet uninstallation on Windows Applied regex to match SSH public keys during OS customization Updated dependencies: libarchive (3.7.4 → 3.7.7 → 3.8.0) zlib (removed preconfigured header → updated to 1.4.1.1) cURL (8.8 → 8.11.0 → 8.13.0) nghttp2 (updated to 1.65.0) zstd (updated to 1.5.7) xz/liblzma (updated to 5.8.1) Windows-specific updates: Switched to Inno Setup for the installer Added code signing for binaries, installer, and uninstaller Enabled administrator privileges and NSIS removal support Fixed a bug causing incorrect saving of long filenames macOS-specific updates: Fixed .app naming in .dmg packages Improved build reliability and copyright Linux-specific updates: System drives are now hidden in destination popup Wayland support disabled in AppImage General UI/UX improvements: Fixed OptionsPopup not handling the Esc key Improved QML code structure, accessibility, and linting Made options popup modal Split main UI into component files Added a Style singleton and ImCloseButton component Internationalization (i18n): Made "Recommended" OS string translatable Made "gigabytes" translatable Packaging improvements: Custom AppImage build script with Qt detection Custom Qt build script with unprivileged mode Qt 6.9.0 included Dependencies migrated to FetchContent system Build system: CMake version bumped to 3.22 Various improvements and hardening applied Removed "Show password" checkbox in OS customization settings Reverted unneeded changes in long filename size calculation Internal refactoring and performance improvements in download and extract operations Added support for more archive formats via libarchive Lastly, it's worth noting that the system requirements have changed since version 1.9.0: macOS users will need version 11 or later; Windows users, Windows 10 or newer; Ubuntu users, version 22.04 or newer; and Debian users, Bookworm or later.
    • Ancient CD app makes 64-bit comeback to support Windows 11 and probably Windows 10 too

      By hellowalkman · Posted

      Ancient CD app makes 64-bit comeback to support Windows 11 and probably Windows 10 too by Sayan Sen Remember when CDs or compact discs were a thing? While technically, they still are, their popularity and usage have dropped immensely with the rise in other standards like USB, as the latter continues to evolve, getting faster and gaining more features. Recently, Microsoft enforced some mandatory requirements for USB Type-C so as to ensure a uniform and consistent experience for Windows 11 users. On the topic of Windows 11 and CDs, a CD ripping tool from the Windows 95/98 era, dubbed "CD2WAV32," is back again after 16 years (from the Windows 7 era). The utility has now been updated to work on Windows 11 version 24H2, which is pretty cool. This was not planned, says the author, as they simply wanted to test the app on their newly upgraded Windows 11 PC, but ended up going all the way to make it fully work on Windows 11. Their Windows 11 runs an AMD Ryzen 9600X, 64 GB RAM, and an Nvidia GT 1030 (miswritten as "GT1300"). The developer of the tool notes that they did not run thorough tests on Windows 10, but it works on their Atom-based PC, which is another relic, given how fast technology moves. The author writes (Google-translated from Japanese to English): "From now on, it will only support Windows 11 (24H2). The reason is that this is the only environment the author currently has. I haven't done anything particularly fancy, so I think it will work properly on Windows 10, but I can't guarantee it. All I have left is an ATOM machine that I bought a long time ago that also runs Windows 10, so I've seen that it works lightly on that, but I can't do a detailed test." Atom, for those wondering, was Intel's low-power CPU lineup that it decided to axe back in 2016. The story is similar to how Microsoft gave up on Windows Lumia, as Intel, too, abandoned its mobile chip ambitions once the likes of Qualcomm and MediaTek took over. In terms of the underlying changes, the utility has been compiled now on Delphi 12.1 Community Edition, which is used to make native Windows apps as well as ones for macOS, iOS, and Android. The recent update also brings a significant overhaul in terms of compatibility as well as UX/UI. File sizes and other such metadata are now handled using a 64-bit format instead of the prior 32-bit approach, eliminating overflow issues and ensuring large file and disk space values are displayed correctly. This change is necessary given that large storage volumes are quite common these days. Additionally, support for 16-bit code calling functions has been entirely removed as Windows 11 is 64-bit only; thus, features like MSCDEX and TwinVQ compression are gone. Meanwhile, the font has been changed from MSP Gothic 9pt to Meiryo 10pt, so readability should not be a problem even on 4K screens. In terms of audio file encoding support, it is said to work with MP3 as well as WMA. So, should you download and run it? Probably not, given that the UI is entirely Japanese, but it is still a fun project to look at.
    • 007 First Light's first trailer shows off an action-packed James Bond game

      By Lamp0 · Posted

      Xbox has lots of games… and there all coming to Playstation!

  • Recent Achievements

    • Week One Done
      jbatch earned a badge
      Week One Done
    • First Post
      Yianis earned a badge
      First Post
    • Rookie
      GTRoberts went up a rank
      Rookie
    • First Post
      James courage Tabla earned a badge
      First Post
    • Reacting Well
      James courage Tabla earned a badge
      Reacting Well

  • Popular Contributors

    1. 1
      +primortal
      397
    2. 2
      +FloatingFatMan
      177
    3. 3
      snowy owl
      170
    4. 4
      ATLien_0
      167
    5. 5
      Xenon
      134
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!