Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Monitor your network traffic Network
Want to get down and dirty and find out what kind of traffic is on your network? Well, a packet sniffer is a great tool for this, and OS X has a copy of tcpdump, the open-source packet sniffer program, pre-installed.

Please note three things about tcpdump:

- It's a command line tool so you'll have to use the Terminal. (See the manual (man tcpdump) pages for options.)
- You have to be root to use it (or use sudo)
- It can be used for good or evil. Please make the right choice.

As a networking teacher, it's a great way to show students how insecure their network traffic really is (especially stuff like telnet and ftp).
    •    
  • Currently 3.43 / 5
  You rated: 4 / 5 (7 votes cast)
 
[73,838 views]  

Monitor your network traffic | 2 comments | Create New Account
Click here to return to the 'Monitor your network traffic' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
You want insecure? I'll show you insecure!
Authored by: Cadre on Apr 08, '01 03:02:21PM

tcpdump is great, but out of the box it can't listen to traffic on a switched network. Do you think you are safe on a switched network? < grin >

Those of you familiar with how the IP layer of communications works know that when a computer is looking to send information across a network it sends out an arp request with an IP address. It awaits for the correct computer to respond with an arp reply that contains the Mac address of the computer. If that particular IP is in another subnet, your gateway will respond to the arp request.

In comes arpspoof, a handy little utility that comes with the dsniff package. It replies to all arp requests with your Mac address. Thats right, all computers in your LAN think that you are whatever computer they need to talk to. There is a caveat to this, arpspoof merely creates a packet sink. All the packets go into your computer but they don't come back out. This is easily fixable by modifying a kernel state to turn on ip forwarding.

There are a couple fixes for this, the easiest one is to buy a smart switch. One that can be programmed to allow only a certain Mac address to use a certain address. Another involves using /usr/sbin/arp to hardcode the correct internet-to-eithernet addresses into the translation tables.

Handy URLs:
dsniff webpage - http://www.monkey.org/~dugsong/dsniff/
Precompiled dsniff for OS X w/ all libraries and headers - http://www.linville.org/resources/OSX_dsniff.tgz



[ Reply to This | # ]
tcpdump
Authored by: tghewett on Apr 08, '01 05:27:32PM

I had hoped to use tcpdump myself to check for rogue port probes on my ppp port. But it won't have anything to do with ppp0. If started with no params, it finds ppp0 as an eligible interface but then says it is unconfigured. The same happens if you do tcpdump -i ppp0.

So near yet so far!

Tim.



[ Reply to This | # ]