Simple Sniffing without Hubs or Port Mirroring for the Curious Windows User
[Jump to instructions and skip intro]
Your science-fiction-style new refrigerator might go online to download the latest offers or order more pizza after checking your calendar and noticing that you have to finish a nerdy project soon.
It may depend on your geekiness or faith in things or their vendors, but I absolutely need to know more about the details of this traffic. How does the device authenticate to the external partner? Is the connection encrypted? Does the refrigerator company spy on me? Launch the secret camera and mic on the handle?
In contrast to what the typical hacker movie might imply you cannot simply sniff traffic all on a network even if you have physical access to all the wiring.
In the old days, that was easier. Computers were connected using coaxial cables:
Communications protocols are designed to deal with devices talking to any other devices on the network any time – there are mechanisms to sort out collisions. When computers want to talk to each other the use (logical) IP addresses that need to get translated to physical device (MAC) addresses. Every node in the network can store the physical addresses of his peers in the local subnet. If it does not know the MAC address of the recipient of a message already it shouts out a broadcasting message to everybody and learns MAC addresses. But packets intended for one recipient are still visible to any other party!
A hub does (did) basically the same thing as coaxial cables, only the wiring was different. My very first ‘office network’ more than 15 years ago was based on a small hub that I have unfortunately disposed.
A switch minimizes traffic and collisions by memorizing the MAC addresses associated with different ports (‘jacks’). If a notebook wants to talk to the local server this packet is sent from the notebook to the switch who forwards it to that port the server is connected to. Another curious employee’s laptop could not see that traffic.
This is fine from the perspective of avoiding collisions and performance but a bad thing if you absolutely want to know what’s going on.
I could not resist using the clichéd example of the refrigerator but there are really more and more interesting devices that make outbound connections – or even effectively facilitate inbound ones – so that you can connect to your thing from the internet.
Using a typical internet connection and router, a device on the internet cannot make an unsolicited inbound connection unless you open up respective ports on your router. Your internet provider may prevent this: Either you don’t have access to your router at all, or your router’s external internet address is still not a public one.
In order to work around this nuisance, some devices may open a permanent outbound connection to a central ‘rendezvous server’. As soon as somebody wants to connect to the device behind your router, the server utilizes this existing connection – which is technically an outbound one, from the perspective of the device.
Remote support tools such as Teamviewer use technologies like that to allow helping users behind firewalls. Internet routers doing that: DLink calls their respective series Cloud Routers (and stylish those things have become, haven’t they?).
How to: Setup your Windows laptop as a sniffer-router
If you want to sniff traffic from a blackbox-like device trying to access a server on the internet you would need a hub which is very hard to get these days – you may find some expensive used ones on ebay. Another option is to use a switch that supports Port Mirroring: All traffic on the network is replicated to a specific port, and connecting to that with your sniffer computer you could inspect all the packets
But I was asking myself for the fun of it:
Is there a rather simple method a normal Windows user could use though – requiring only minimal investment and hacker skills?
My proposed solution is to force the interesting traffic to go through your computer – that is turning this machine into a router. A router connects two distinct subnets; so the computer needs two network interfaces. Nearly every laptop has an ethernet RJ45 jack and wireless LAN – so these are our two NICs!
I am assuming that the thing to be investigated rather has a wired connection than wireless LAN so we want…
- … the WLAN adapter to connect to your existing home WLAN and then the internet.
- … the LAN jack to connect to a private network segment for your thing. The thing will access the internet through a cascade of two routers finally.
Routing is done via a hardly used Windows feature experts will mock – but it does the job and is built-in: So-called Internet Connection Sharing.
Additional hardware required: A crossover cable: The private network segment has just a single host – our thing. (Or you could use another switch for the private subnet – but I am going for the simplest solution here.)
Software required: Some sniffer such as the free software Wireshark.
That’s the intended network setup (using 192.168.0.x as a typical internal LAN subnet)
| Thing | | Laptop Router | |Internet Router | LAN |-cross-| LAN | WLAN |-WLAN-|Internal LAN |192.168.137.2| |192.168.137.1|192.168.0.2| |192.168.0.1
- Locate the collection of network adapters, in Windows 7 this is under
–Network and Internet
—-View Network Status and Tasks
——Change Adapter Settings
- In the Properties of the WLAN adapter click the Sharing tab and check the option Allow other network users to connect through this computer’s Internet connection.
- In the drop-down menu all other network adapters except to one to be shared should be visible – select the one representing the RJ45 jack, usually called Local Internet Connection.
- Connect the RJ45 jack of the chatty thing (usually tagged LAN) to the LAN jack of your laptop with the crossover cable.
- If it uses DHCP (most devices do), it will be assigned an IP address in the 192.168.137.x network. If it doesn’t i it needs a fixed IP address you should configure it for an address in this network with x other than 1. The router-computer will be assigned 192.168.137.1 and is the DHCP server, DNS server, and the default gateway.
- Start Wireshark, click Capture…, Interfaces, locate the LAN adapter with IP address 192.168.137.1 and click Start
Now you see all the packets this device may send to the internet.
I use an innocuous example now:
On connecting a Samsung Blu-ray player, I see some interesting traffic:
The box gets an IP address via DHCP (only last packet shown – acknowledgement of the address), then tries to find the MAC address for the router-computer 192.168.137.1 – a Dell laptop – as it needs to consult the DNS service there and ask for the IP address corresponding to an update server whose name is obviously hard-coded. It receives a reply, and the – ‘fortunately’ non-encrypted – communication with the first internet-based address is initiated.
Follow TCP stream shows more nicely what is going on:
The player sends an HTTP GET to the script liveupdate.jsp, appending the model, version number of location in the European Union. Since the player is behind two routers – that is NAT devices – Samsung now sees this coming from my Austrian IP address.
The final reply is a page reading [NO UPDATE], and they sent me a cookie that is going to expire 3,5 years in the past ;-) So probably this does not work anymore.
As I said – this was an innocuous example. I just wanted to demonstrate that you never know what will happen if you can’t resist connecting your things to your local computer network. You might argue that normal computers generate even more traffic trying to contact all kinds of update servers – but in contrast to reverse engineering a ,lockbox of a thing you 1) can just switch on the sniffer and see that traffic without any changes to be made to the network and 2) as an owner of your computers you could on principle control it.
Peer-to-Peer Communication Across Network Address Translators – an overview of different technique to allow for communications of devices behind NAT devices such as firewalls or internet routers.
Sniffing Tutorial part 1 – Intercepting Network Traffic: Overview on sniffing options: dumb hubs, port mirroring, network tap.