How to sniff network traffic in Linux

A network switch doesn’t foward packets to everyone in the network the same way as a network hub do, and so theoretically a person in the network cannot look at other person’s traffic. There are ways however to get through this problem, which is by performing arp spoofing.

Method 1: Dsniff

This guide will just discuss how it is done without discussing the theory behind the process. To start is to install the necessary program, which is in this case is dsniff package which contains the arpspoof program that we need. In Ubuntu or any other Debian based distribution, it’s installable with the apt-get command as the following;

Installing (Ubuntu)

$ sudo apt install -y dsniff

Enable IP forwarding

To make sure the traffic is forwarded to the real destination as it reach our machine, the following command need to be run;

$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward

This will make sure the connection of the target machine is not disconnected, and nobody should realize what we’re doing.

Run ARP spoofing

The following command will tell the gateway “I am 192.168.0.100”, and the next command tells 192.168.0.100 “I am the gateway”

$ sudo arpspoof 192.168.0.100 -t 192.168.0.1
$ sudo  arpspoof 192.168.0.1 -t 192.168.0.100

With this, all the traffic that’s supposed to go to the gateway from the machine, and the other way around, will go through our machine first, and only then forwarded to the real target. With this we can run any packet analysis tool such as tcpdump or wireshark.

Method 2 : Ettercap

There are programs however to make the whole process simpler. One of the favored program for this is ettercap. Ettercap can perform arp spoofing as well, among many other features that it has. In Ubuntu, the package is called ettercap-gtk;

Installing (Ubuntu)

$ sudo apt install -y ettercap-gtk

Run ARP spoofing (GUI)

Running the program with the -G switch will run it in GTK rather than in ncurses.

$ sudo ettercap -G

At the menu, choose the following;

Sniff -> Unfied sniffing

And at the prompt, choose the network interface to be used. Normally it would be eth0

Network Interface: eth0

At the menu again, choose the following to add all hosts in the network to the list

Hosts -> Scan for hosts

And following the following will do the arp spoofing for everyone in the network

Mitm -> Arp poisoning -> Ok
Start -> Start sniffing

Run ARP spoofing (command)

The following command will do the same thing as the above example, in one single command;

$ sudo ettercap -q -T -M arp // //