Search code examples
network-programmingwiresharkpacket-snifferssniffingsniffer

How to sniff local network?

I Have searched on StackOverflow and the Internet but I couldn't find what I was looking for. Here is my setup:

I have three computers, A, B and C, connected to a router (which is not connected to the internet). I want computer A to see what B is doing which means to see all the data that B is sending to C. A,B and C are all connected to the router. I tried multiple solutions and I succedded to see some of the data, using arpspoof, but I couldn't see what interests me.

B is actually connecting to a website which is stored in C (HTTP). On this website is a form that is using the post method to send data. I want to see the data in this form from A when B sends it to C.

Could you help me ? I am not sure of how to do such a thing. Thank you for your time and help.

Solution

  • If all computers are connected by wire to the router, then they are using the built-in switch inside the router. The switch doesn't allow you to see packets that are not intended to be received by your NIC. This is why you can't see anything.

    You need to do one of:

    • Get an old hub (not switch) and connect your computers to it. The hub will happily forward all packets to all ports.
    • If the router firmware allows that, assign one port to be a "promiscuous port" so a copy of any packet will be forwarded to it, and connect your packet analyzer on that port. This can be done in high-end switch systems, but unlikely on SoHo equipment.
    • Use a "MAC flooding"-like attack to get your switch to forward other equipment packets to the port that receives the attack. This is not the same as ARP spoofing though.
    • Connect your equipment by wifi, and use a promiscuous-enabled wireless card in the computer you will use to sniff the net. I'm not sure if you will see decrypted packets this way.
    • The ARP spoof method you have tried works best if you don't allow host A (the one running the packet sniffer) to send any actual packet besides the spoofed ARP responses. This will avoid the switch to forget about the spoofed MAC address to learn the newer real MAC address. You may not see all packets, but only those directed to either B or C but not both. It depends on how the MAC tables are actually implemented in the internal switch.