I have testing environment set up at home with 2 PC´s.
PC 1 ip = 192.168.1.2
PC 2 ip = 192.168.1.4
Gateway = 192.168.1.1
I am sitting on PC 1.
Both computers are on the internet. I tried simply stuff like, going on google and searching, logging in on gmail, using youtube and other things aka. the same.
I want to sniff the HTTP traffic being send from 192.168.1.4, but with many tries i dident succed.
I tried to apply the filter: ip.src == ...1.2 && ip.dst == ...1.4
I also tried to use the PC 2 wlan card and sniff on the mac address, but no luck.
All i ever got was some weird traffic, but no HTTP traffic.
How do i win this?
you need to perform some kind of Man-in-the-Middle attack in order to retrieve the traffic from a target computer, unless you are sitting on a router/switch/gateway. This can be achieved my ARP spoofing a victim, and then forwarding the victim traffic through your own machine and back to the router. Ettercap is a tool you are probably looking for:
Ettercap Website. This can be run on Windows and linux but if your on linux try:
# ettercap -Tq -M ARP /PC2// /GATEWAY//
You should now be able to see PC2 traffic in wireshark. This will also HAVE to be HTTP as you aware, HTTPS would require decryption of the session.
Hope this helps.
If all you are interested in HTTP Traffic interception (and modification) use tools such as https://www.owasp.org/index.php/ZAP or my favourite http://portswigger.net/burp/. Burp has a free and professional edition and it looks like the free edition may be sufficient for your purposes.
Related
Short version: How would you recommend going about connecting a client to a server that are on the same local network, without manually entering the ip, when broadcast is disabled?
Further details: I am working on an educational multiplayer game for children. Many schools appear to be blocking broadcasting for security reasons. The children will be rather young, so it could be difficult for them and error-prone to have to enter the IP manually. They will all be in the same room and will all see the server screen. The game is made in Unity (C#).
Potential solutions: Here's what I thought about:
Connecting both the local server and clients to an external server, communicating the local server ip through the clients through the external server, then connecting directly and disconnect from the server. Not ideal because of the extra hosting costs.
Send a regular UDP message periodically to all ips on the subnet? This will probably be picked up by any decent firewall and blocked though, right?
Putting a QR code on the server that kids would take a picture of with the client app and have it connect that way? May be more of a hassle.
Having the server play random tones corresponding to numbers that the client is listening for? (Speakers may not always work though)
Sounds like the first one is the most sane and easy solution. Do you have any other ideas on what someone in this situation could try?
Is UDP multicast possible?
If yes then a common solution is that all participants join the same multicast group and the server listens on a well known port. If a client wants to know the address of the server it sends a packet to the multicast group, which is received by the client and answered with another packet, which then can be used by the client to determine the servers address.
In addition to that servers can also announce their presence in regular intervals by sending a suitable message to the multicast group.
What I can think of is an ad-hoc communication protocol between all the devices. Say you have 1 server and 10 clients. All the devices should run a service(say server-discovery) that binds to a fixed port say 9999. Now any time the client wants to connect to the server and doesn't know the IP, it starts a scan. Loops through different IPs and tries to connect to 9999. If it manages to hit, it asks for the server IP. In case it manages to hit the server it will get the IP since the server knows it's own IP and the client will maintain the server IP in a cache. If the client hits another client. It can ask for the server IP. It the other client knows the IP it will share the info else decline.
I agree there is a lot of overhead, but I think this will be robust unlike sound and would reduce cost of printing QRs everytime.
on the local network the traffic is direct from host to host.
I don't understand which devices is blocking local broadcasts.
if there aren't too many peers on the LAN ( less then 100 ), I think udp broadcasts work fine and you dont pollute the network.
to have an idea of your "pond", I suggest you to sniff your local traffic.
there are many broadcasts : arp, windows, ipp, dropbox...
This may be a silly question but I was googling a lot last days and I've just found related but not a direct answer to this. In order to express it better let me mention a comparison:
If I setup an http server in a computer behind a router , I must set port forwarding and also that computer must have an static internal IP address in order to receive the requests on that port for that particular IP address. For instance, my router does not allow port forwarding so I could not set it up for the HTTP server. However , Bittorent works like a charm behind that same router without any static IP , nothing. How bittorrent can get requests and it can also seed? How other peers will connect to my computer while seeding? I did verify that when Bittorrent is running the port it uses for example 39031, is actually open ( using yougetsignal_dot_com). How the router can be made to open the port without using its admin settings ( we can also use Bitorrent in a public hot spot where is no way to mess with the router). I know the trackers may do some help, but there are a lot of information about a decentralized way with no trackers or basically that the peers are also trackers but not details on how it works.
Finally, why this "trick" (if any) cannot be used with an HTTP server and we must always depend on the router settings ?
BitTorrent does work behind NAT, to a certain extent. It works better if port forwarding is configured, though.
BitTorrent works reasonably well behind NAT for the following reasons:
BitTorrent is peer-to-peer, and either peer can initiate a connection; therefore, communication will succeed if either of two peers is not behind NAT or properly port forwarded;
some BitTorrent clients are able to automatically set up port forwardings using uPNP or PMP;
modern BitTorrent clients use µTP instead of TCP, and some clients are able to perform UDP hole punching.
We have installed a proxy inbetween host and internet. when i make a request google.com and if i see the communication in wireshark, i can just see the communication to proxy and reply from proxy, since proxy makes the actual request and reply to host.
in this case, how do we see the actual communication even if proxy is in intermediate. i have tried to open the packet and saw "Follow TCP Stream", but i could not find more information from it.
like communication from host to google.com in wireshark?
If you want to capture the traffic between the proxy and the destination, You would need to run wireshark on a machine that can see the traffic between the proxy and the destination. Eg, on the proxy, or on a machine connected to a switch setup to do port mirroring, or ...........
Basically though, without telling us the exact network layout, we cant help.
I'm looking for a tool under windows or mac that allows me to monitor (possibly in a simple way) the traffic going in and out of a computer of my network.
Long story short the residence where I live allows themselves to monitor the internet connection (and doesn't allow us to switch to another provider).
This annoys me on a personal level (I don't like the possibility of people checkin what I do without my knowledge as a general rule regardless of what I do) but also on a professional level (I sometimes work form home).
I'm using/trying out vpn providers (JAP, VyperVPN...) to avoid all this. it works fine with the http connections (if I run iptraces I end up in germany or US or UK ...) but I'm not sure for other applications such as online games, instant messaging softwares that use different ports.
So my question is how can I make sure that my internet traffic is using my vpn connection or not ?
Wireshark would do that for you on Windows and linux (Not sure about Mac). It uses WinPCap library and wraps in a nice UI for you to monitor the packets that you are interested. It allows you to listen to specific or all interfaces , so you can make sure your packets are going via the right interface
if you don't want them monitoring your internet usage, a vpn is a good solution, a vpn will encrypt all of your net traffic between your computer and the vpn gateway -- essentially you'd be surfing the web via a proxy and your landlords wouldnt be able to determine what you are doing.
assuming you are using a real vpn, and not just a browser based proxy solution, then the vpn should encrypt and tunnel all of your network traffic, this includes anything coming out of any port on your computer, not just http traffic.
when you install a vpn on your computer, the vpn creates a fake network device, and all of the vpn traffic gets tunneled to the vpn gateway. you can verify this by looking at your computer's routing tables. there are some vpns which allow for split traffic (split tunneling), e.g. traffic to certain domains gets tunneled through the vpn and others goes in the clear, but this is the rarity, most vpns will tunnel all of your traffic, which seems to be what you are looking for.
just make sure that your vpn uses an encryption protocol, there are some that don't -- this would defeat the whole purpose of your vpn.
Packet sniffers generally do not capture localhost traffic. I need to inspect some post data in a localhost environment (being generated from a Ruby on Rails development). Do you know of any programs that expose localhost packets?
I use fiddler on my Windows box for http sniffing. Since its only looking at http traffic you don't get nearly the amount of noise you get with something like WireShark.
The trick to getting it to work with data sent and received locally is to use a different endpoint for your urls. Using http://127.0.0.1./YourServiceName instead of http://localhost/YourServiceName has always worked for me. Its important to include the trailing 'dot' in the IP address. Don't ask me why though.
If you use Firefox, you could use the HTTP Logging feature:
https://developer.mozilla.org/en/HTTP_Logging
If you just change your address from localhost to an assigned IP address (like 192.168.12.34 or whatever you may have), your packet sniffer should be able to see the packets.
These packets probably do not exist. There is no reason to packetize data when it is not leaving the host. The data should just go from socket to socket.
You might use something like Instruments or Dtrace to monitor the send system call.
I'm a satisfied user of HTTPScoop: http://www.tuffcode.com/
It's similar to the HTTP traffic analyzer addons you'll see for firefox etc. but works systemwide which is convenient and can be switched to observe any of your available network interfaces.
It is not free, nor does it observe HTTPS traffic, but other than that it's a worthwhile addition to your toolbox.