Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'You want insecure? I'll show you insecure!' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
You want insecure? I'll show you insecure!
Authored by: Cadre on Apr 08, '01 03:02:21PM

tcpdump is great, but out of the box it can't listen to traffic on a switched network. Do you think you are safe on a switched network? < grin >

Those of you familiar with how the IP layer of communications works know that when a computer is looking to send information across a network it sends out an arp request with an IP address. It awaits for the correct computer to respond with an arp reply that contains the Mac address of the computer. If that particular IP is in another subnet, your gateway will respond to the arp request.

In comes arpspoof, a handy little utility that comes with the dsniff package. It replies to all arp requests with your Mac address. Thats right, all computers in your LAN think that you are whatever computer they need to talk to. There is a caveat to this, arpspoof merely creates a packet sink. All the packets go into your computer but they don't come back out. This is easily fixable by modifying a kernel state to turn on ip forwarding.

There are a couple fixes for this, the easiest one is to buy a smart switch. One that can be programmed to allow only a certain Mac address to use a certain address. Another involves using /usr/sbin/arp to hardcode the correct internet-to-eithernet addresses into the translation tables.

Handy URLs:
dsniff webpage -
Precompiled dsniff for OS X w/ all libraries and headers -

[ Reply to This | # ]
Authored by: tghewett on Apr 08, '01 05:27:32PM

I had hoped to use tcpdump myself to check for rogue port probes on my ppp port. But it won't have anything to do with ppp0. If started with no params, it finds ppp0 as an eligible interface but then says it is unconfigured. The same happens if you do tcpdump -i ppp0.

So near yet so far!


[ Reply to This | # ]