Packet sniffing question.

_TK_ · 09-03-2003, 11:59 AM

If someone is uploading files from the local network to an outside IP is there a way you can determine what files are being uploaded but sniffing the wire somehow?

cyph3r7 · 09-03-2003, 12:22 PM

sure put a sniffer between the host uploading and the exit point (router/firewall). You can see whats in 'em....sorta

_TK_ · 09-03-2003, 12:33 PM

Ya I can use iptraf etc.. but i was wondering if there was a method to find specific file names to determine exactly what files are being uploaded.

Khabi · 09-03-2003, 05:01 PM

well, using ethereal you can get a packet dump and see what they're uploading.

Code:

0000  00 00 03 04 00 00 00 03  6b b9 81 c0 00 00 08 00   ........ k.......
0010  45 10 00 3c 02 7f 40 00  40 06 3a 2b 7f 00 00 01   E..<..@. @.:+....
0020  7f 00 00 01 9d 42 00 15  78 97 9d 13 78 e7 1e f4   .....B.. x...x...
0030  50 18 7f ff c4 84 00 00  53 54 4f 52 20 2f 72 6f   P....... STOR /ro
0040  6f 74 2f 74 65 73 74 2e  67 7a 0d 0a               ot/test. gz..

also you'll see a line like this in main window of it.

Code:

no.  Time        Source   Destination   Protocol   Info
27   22.851634   Tux      Tux           FTP        Request: STOR /root/test.gz

This is assuming they're just using regular ftp and not sftp.

aqoliveira · 09-04-2003, 04:47 AM

Hi there

U can use ethereal but u must take into account that it will not work in a switched network try using other tools. Iḿ not gouing to mention those tools as i am not sure if I am allowed to in this forum

cheers

unSpawn · 09-04-2003, 08:04 AM

I'm not going to mention those tools as i am not sure if I am allowed to in this forum
Go right ahead. Dsniff, Ettercap...

aqoliveira · 09-04-2003, 09:14 AM

Thanx dude was not sure I could....