Sunday, 2 October 2011

Snooping on Internet Traffic

Snooping is a process of capturing network packet. Since just capturing doesnt solve any purpose, one important aspect of snooping is analyzing captured packets.

Any internet traffic works through sending and receiving packets. So Snooping can be done to troubleshoot a network or acquire user information like usage type, passwords, emails, chats and basically anything being sent or received through packets on a network.

Snooping is done through many packet capturers and analyzers. Widely used amongst these are tcpdump and wireshark. A video embedded below will give us more idea about when and why they came into existence and what made them so important.

(video source : RiverbedTechnology Channel - Youtube)

Getting Started
(Installing tcpdump and wireshark)

$ sudo apt-get install tcpdump
or go to :

$ sudo apt-get install wireshark
or go to

Now there are two steps to do snooping

  • Capturing
For capturing, a machine is required to run in promisciuous mode to effectively extract packet information.
"promiscuous mode or promisc mode is a mode for a network interface controller (NIC) that causes the NIC to pass all traffic it receives to the central processing unit (CPU) rather than just passing frames the NIC is intended to receive." - Wikipedia
To activate promiscuous mode, we start a packet analyzer with root user access.

  • Analyzing
Analysis of captured packets is a tricky task. The kind of analysis is dependent both on the need as well as the knowledge to extract needed information.
By counting the number of different types of packets i.e TCP, HTTP, ICMP, ARP etc one can have an idea about the kind of data transfer across the network.
The information sent through the packages are often encrypted so exact user information like the site being visited or emails,chats and passwords are difficult. Though extracting HTML passwords is simpler and one can extract them easily as shown below using wireshark :)


TCPDUMP is a shell based program so it does not have graphic user interface, as soon as we give tcpdump command capturing starts.
Starting capturing through tcpdump:
$ sudo tcpdump

note : tcpdump does not give us an option to later save or export the dumped packets. We need to give the tcpdump command followed by '-w ' to write the captured packets in a file for later analysis.
Both wireshark and tcpdump allow filtered capturing of packets according to need. Wireshark provides listed options to filter capturing. Tcpdump has varied syntax options since it is shell based packet analyzer.
exploring options in tcpdump:

capturing packets in very verbose(-vv) mode for capturing more information and saving it to file 'capturefile.txt':


Starting wireshark:
$ sudo wireshark

To start capture in wireshark:

Click on capture option on the toolbar and then click on start to capture packets. Following window will appear on the screen.

Capture filter:

They are used to select the data to record in the capture logs. They are defined before capturing the packets. this type of filter limits the size of captured data to avoid generating a log too big in size.
The steps to configure a capture filter are the following:
select Capture> Option > fill the captured field > click on ‘start’

Syntax : <protocol><direction><host><value><logical
operation><other exp>

(picture source :

After capture is complete:
go to FILE(menu) and click at SAVE(button) to save the capture

We performed a 30 minutes network trace to dump packets in files provided below for download. :)

30 minutes dump by TCPDUMP:

30 minutes dump by Wireshark:



We can have a look at the raw data of captured packets by:
$ sudo tcpdump -r <filename>

(click on the image to view enlarged)

But that is a lot of information and analyzing it just by looking at it is not easy.
So one can use functions like 'wc' and 'grep/sed/awk':

note : The packets captured through TCPDUMP can also be analyzed using Wireshark as it is easier using an analyzer with GUI. Just open the dump file from TCPDUMP through Wireshark by going to FILE(menu) and clicking OPEN.

The captured packets

The screen is divided into three windows :
i) Packet-content windows
It displays one line summary of captured packets . each packet is highlighted by a particular colour a colour code
ii) Packet-header window
It dis plays information about the selected packetin the above window iin tree format from physical layer , datalink layer , Ethernet etc.
iii) Packet-content
It displays the detailed description of the content of the packet in ASCII or hexadecimal form. It generally contains the source and destination IP and MAC address of the captured packets

Display filter:

It allows us to concentrate on the packets we are most interested in on the basis of protocol type, presence of a field, comparison between fields etc. They are used to search inside captured logs. They can be modified while data capturing is going on. This tool is much more powerful than the capture filter. It allows us to search exactly what we want.
To select packets based on protocol type, write the desired protocol in the Filter: field in the filter tool box and press enter. The following shows an eg. of packet containg tcp protocol.

We can filter on any protocol that wireshark understand . narrow down the packet list down to only those packet list that has been sent to or received from IP address , use , ip.addr==
Syntax: <protocol<string1><string2><comparison operator><value><logical operations><other exp>

(picture source :

(extraction using Wireshark)

NOTE: Method shown below are done on self. Doing any such task on somebody else' network is illegal and punishable. Use carefully.
First we start capturing by wireshark (click on images to enlarge)

Open a website (here : Warez-bb) and write username password in their respective feilds.

Now, go to wireshark and stop cature. Type http in filter field to apply the filter, which enables us to view only http protocol packets. Then search for a packet with info : POST /login.

Double click on the packet. Go to 'line based text data' and now we can see the username password entered :)

I tried the same for :
but was not able to apply the same as the packets sent for these sites are encoded and cannot be viewed easily. The above way works for only simple html sites.

Blog Post by:
Archit Agarwal (2011030)
Prerna Jaiswal (2011081)

No comments:

Post a Comment