[NBLUG/talk] "Sniffing the Internet"

ME dugan at passwall.com
Tue Jul 29 15:08:00 PDT 2003


Andru Luvisi said:
> On Tue, 29 Jul 2003, ME wrote:
> [snip]
>> At layer 3, you have some switches (I'll ignore) and routers. You can't
>> sniffer beyond a router unless you have a presence in the network beyond
>> the router to be sniffed. That presence can be willing or unwilling, but
>> a
>> presence must exist for sniffing to work beyond a router. (Yes, this
>> includes source routed packets where your proxy may be either end.)
> [snip]
>
> What about ICMP redirects?

Here, I go to try to explain something tricky, and you have to throw me a
slide ball! ;-)

ICMP redirects can buy you a limited presence on the network -- for hosts
that actually obey the request. Also, if traffic is being directed
to/through you, then you have, in-fact, a presence on the
connections/sessions for which this request was obeyed.

Also, convincing a single host to redirect a connection to/through you is
not the same as sniffing a network; it is more like making a request for
connections to pass to you. Once you do this, then you can sniff what is
passed to you.

In the same vein, one could argue that DNS cache poisoning and faulty DNS
passing to lookups such that your IP is resolved and you act as a
man-in-the-middle proxy to the "real" host is also sniffing beyond the
router. However, you are effectively making yoruself part of the
conversation, and if you do this, then you have a presence in the sessions
and can then sniff these packets.

Many methods exist for ensuring you have a presence in a remote network.
If you can find a way to do this, then you have satisfied one of the
requirements for sniffing.

-ME




More information about the talk mailing list