tcpdump is great, but out of the box it can't listen to traffic on a switched network. Do you think you are safe on a switched network? < grin >

Those of you familiar with how the IP layer of communications works know that when a computer is looking to send information across a network it sends out an arp request with an IP address. It awaits for the correct computer to respond with an arp reply that contains the Mac address of the computer. If that particular IP is in another subnet, your gateway will respond to the arp request.

In comes arpspoof, a handy little utility that comes with the dsniff package. It replies to all arp requests with your Mac address. Thats right, all computers in your LAN think that you are whatever computer they need to talk to. There is a caveat to this, arpspoof merely creates a packet sink. All the packets go into your computer but they don't come back out. This is easily fixable by modifying a kernel state to turn on ip forwarding.

There are a couple fixes for this, the easiest one is to buy a smart switch. One that can be programmed to allow only a certain Mac address to use a certain address. Another involves using /usr/sbin/arp to hardcode the correct internet-to-eithernet addresses into the translation tables.

Handy URLs:
dsniff webpage - http://www.monkey.org/~dugsong/dsniff/
Precompiled dsniff for OS X w/ all libraries and headers - http://www.linville.org/resources/OSX_dsniff.tgz

I had hoped to use tcpdump myself to check for rogue port probes on my ppp port. But it won't have anything to do with ppp0. If started with no params, it finds ppp0 as an eligible interface but then says it is unconfigured. The same happens if you do tcpdump -i ppp0.

So near yet so far!

Tim.