Network Sniffing for Everyone – Getting to Know Your Things (As in Internet of Things)

Simple Sniffing without Hubs or Port Mirroring for the Curious Windows User
[Jump to instructions and skip intro]

Your science-fiction-style new refrigerator might go online to download the latest offers or order more pizza after checking your calendar and noticing that you have to finish a nerdy project soon.

It may depend on your geekiness or faith in things or their vendors, but I absolutely need to know more about the details of this traffic. How does the device authenticate to the external partner? Is the connection encrypted? Does the refrigerator company spy on me? Launch the secret camera and mic on the handle?

In contrast to what the typical hacker movie might imply you cannot simply sniff traffic all on a network even if you have physical access to all the wiring. In the old days, that was easier. Computers were connected using coaxial cables.

Communications protocols are designed to deal with devices talking to any other devices on the network any time – there are mechanisms to sort out collisions. When computers want to talk to each other the use (logical) IP addresses that need to get translated to physical device (MAC) addresses. Every node in the network can store the physical addresses of his peers in the local subnet. If it does not know the MAC address of the recipient of a message already it shouts out a broadcasting message to everybody and learns MAC addresses. But packets intended for one recipient are still visible to any other party!

A hub does (did) basically the same thing as coaxial cables, only the wiring was different. My very first ‘office network’ more than 15 years ago was based on a small hub that I have unfortunately disposed.

Nowadays even the cheapest internet router uses a switch – it looks similar but works differently:

A switch minimizes traffic and collisions by memorizing the MAC addresses associated with different ports (‘jacks’). If a notebook wants to talk to the local server this packet is sent from the notebook to the switch who forwards it to that port the server is connected to. Another curious employee’s laptop could not see that traffic.

This is fine from the perspective of avoiding collisions and performance but a bad thing if you absolutely want to know what’s going on.

I could not resist using the clichéd example of the refrigerator but there are really more and more interesting devices that make outbound connections – or even effectively facilitate inbound ones – so that you can connect to your thing from the internet.

Using a typical internet connection and router, a device on the internet cannot make an unsolicited inbound connection unless you open up respective ports on your router. Your internet provider may prevent this: Either you don’t have access to your router at all, or your router’s external internet address is still not a public one.

In order to work around this nuisance, some devices may open a permanent outbound connection to a central ‘rendezvous server’. As soon as somebody wants to connect to the device behind your router, the server utilizes this existing connection – which is technically an outbound one, from the perspective of the device.

Remote support tools such as Teamviewer use technologies like that to allow helping users behind firewalls. Internet routers doing that: DLink calls their respective series Cloud Routers (and stylish those things have become, haven’t they?).

How to: Setup your Windows laptop as a sniffer-router

If you want to sniff traffic from a blackbox-like device trying to access a server on the internet you would need a hub which is very hard to get these days – you may find some expensive used ones on ebay. Another option is to use a switch that supports Port Mirroring: All traffic on the network is replicated to a specific port, and connecting to that with your sniffer computer you could inspect all the packets

But I was asking myself for the fun of it:

Is there a rather simple method a normal Windows user could use though – requiring only minimal investment and hacker skills?

My proposed solution is to force the interesting traffic to go through your computer – that is turning this machine into a router. A router connects two distinct subnets; so the computer needs two network interfaces. Nearly every laptop has an ethernet RJ45 jack and wireless LAN – so these are our two NICs!

I am assuming that the thing to be investigated rather has a wired connection than wireless LAN so we want…

  • … the WLAN adapter to connect to your existing home WLAN and then the internet.
  • … the LAN jack to connect to a private network segment for your thing. The thing will access the internet through a cascade of two routers finally.

Routing is done via a hardly used Windows feature experts will mock – but it does the job and is built-in: So-called Internet Connection Sharing.

Additional hardware required: A crossover cable: The private network segment has just a single host – our thing. (Or you could use another switch for the private subnet – but I am going for the simplest solution here.)

Software required: Some sniffer such as the free software Wireshark.

That’s the intended network setup (using 192.168.0.x as a typical internal LAN subnet)

|    Thing    |       |      Laptop Router      |      |Internet Router
|     LAN     |-cross-|     LAN     |    WLAN   |-WLAN-|Internal LAN
||       |||      |
  • Locate the collection of network adapters, in Windows 7 this is under
    Control Panel
    –Network and Internet
    —-View Network Status and Tasks
    ——Change Adapter Settings
  • In the Properties of the WLAN adapter click the Sharing tab and check the option Allow other network users to connect through this computer’s Internet connection.
  • In the drop-down menu all other network adapters except to one to be shared should be visible – select the one representing the RJ45 jack, usually called Local Internet Connection.

Internet Connection Sharing

  • Connect the RJ45 jack of the chatty thing (usually tagged LAN) to the LAN jack of your laptop with the crossover cable.
  • If it uses DHCP (most devices do), it will be assigned an IP address in the 192.168.137.x network. If it doesn’t i it needs a fixed IP address you should configure it for an address in this network with x other than 1. The router-computer will be assigned and is the DHCP server, DNS server, and the default gateway.
  • Start Wireshark, click Capture…, Interfaces, locate the LAN adapter with IP address and click Start

Now you see all the packets this device may send to the internet.

I use an innocuous example now:

On connecting a Samsung Blu-ray player, I see some interesting traffic:

Samsung bluray, packets

The box gets an IP address via DHCP (only last packet shown – acknowledgement of the address), then tries to find the MAC address for the router-computer – a Dell laptop – as it needs to consult the DNS service there and ask for the IP address corresponding to an update server whose name is obviously hard-coded. It receives a reply, and the – ‘fortunately’ non-encrypted – communication with the first internet-based address is initiated.

Follow TCP stream shows more nicely what is going on:

Samsung bluray player wants to update

The player sends an HTTP GET to the script liveupdate.jsp, appending the model, version number of location in the European Union. Since the player is behind two routers – that is NAT devices – Samsung now sees this coming from my Austrian IP address.

The final reply is a page reading [NO UPDATE], and they sent me a cookie that is going to expire 3,5 years in the past ;-) So probably this does not work anymore.

As I said – this was an innocuous example. I just wanted to demonstrate that you never know what will happen if you can’t resist connecting your things to your local computer network. You might argue that normal computers generate even more traffic trying to contact all kinds of update servers – but in contrast to reverse engineering a ,lockbox of a thing you 1) can just switch on the sniffer and see that traffic without any changes to be made to the network and 2) as an owner of your computers you could on principle control it.


Further reading:

Peer-to-Peer Communication Across Network Address Translators – an overview of different technique to allow for communications of devices behind NAT devices such as firewalls or internet routers.

Ethernet and Address Resolution Protocol (ARP) on Wikipedia

Sniffing Tutorial part 1 – Intercepting Network Traffic: Overview on sniffing options: dumb hubs, port mirroring, network tap.

12 Comments Add yours

  1. Your post has stirred up so many fond memories!
    I first encountered networking around 1990, shortly after my province started it’s “Lighthouse Project” which was heed up by my friend and mentor Frank Shapleigh. It was based, at first, on arcnet usig a system known as Waterloo Port. It was tricky and finicky but, for its time, quite a wonder!
    A few years later we started moving over to the more familiar ethernet with the RJ45 connectors that are now so common and, in time, the system bacame better and better.
    I think one of the major changes that I really sat up and noticed was when windows 3.11 came in. It’s little change over 3.1 made networking co much better!
    One of the next big changes I really noticed was when we started replacing the school hubs with switches. They made a HUGE performance improvement.
    These days, operating systems make it all pretty easy, don’t that!
    But all is still not perfect.. Just last week I spent hours trying to figure out why my home network printers no longer functioned properly. All three are getting little old, as is the way they are connected. One is connected via a ten-year-old HP Jet Direct card that hooks directly to the network. I have it’s IP address fixed and connect to it using a “local” (sot of) TCPIP port. It stopped working for wireless devices. The other two are USB based and connected to an older desktop still running XP, configured through XP as network shares. All three stopped properly working and I tried, unsuccessfully, to troubleshoot the system. As near as I can determine the problem is at the head end. I have fibre to the home and the provider–Bell–provides the head-end device, which is a combination of modem, router, 4-port switch (I run two switches off it, a 5-port downstairs and an 8-port for upstairs) and wifi hotspot. I also have an older router configured (pass through only; didn’t want to add a third layer to an already complicate setup) as an extra independent wifi spot for upstairs. All share common network addressing and subnet, etc. as all of the local routing if left to the Bell device
    I think the problem is that the ISP provider has done an external firmware upgrade to the head-end device and it no longer properly shares across wireless and wired; that is wired devices see one another properly, wireless devices see one another properly but wired and wireless, while they “see” one another, will not properly communicate, even though all share base network addressing and such and all are configured to be part of the same windows workgroup (had to do that as there are still 3 XP based computers in the house).
    Now, the fix would be to circumvent the Bell device, just set it as pass-through, and add my own router instead. The problem is that the firmware on the Bell device does not allow users to do that. Bummer!
    Reflecting back on networking in the home.
    I started it with a simple linksys router/switch/wireless B device that cost around $300 abut 12 years ago. It was connected to a DSL modem. When I first set it up, there were 2 desktops downstaits, one upstairs and my laptop. Shortly after added that printer directly using the JetDirect card, which cost around $100.
    Now the infrastructure includes the Bell device with two switches attached, plus an extra wifi hotspot. Connected directly to the network are 5 PCs (2 XP, 2 win7, 1 win8.1), an Xbox 30, Xbox 1, Wii, Three digital TV boxes and the (semi-functional) old JetDirect.
    Now the wireless: 7 laptops (one each for every one in the house plus the old XP one that now serves as a media device under the TV). 6 cellphones (2 iphones, 4 androids), 1 tablet (my nexus 7), 3 Nintndo DS, 1 Nintendo 3DS, 1 PsP, 1 PSVita
    and a partridge in a pear tree.
    And, aside from the fact that my family is large and so has a few extra, that is not too different from what most homes have.
    And it all works!
    Just think back to what it took to get a few standard, similarly configured machines running on the old arcnet and now compare it to what modern networking can do and you can only be amazed at how far it all has come.

    1. elkement says:

      Great stories, Maurice! What I regret a bit is that I haven’t taken photos or screenshots of all that old stuff – or created my personal museum of devices as I ruthlessly discarding all old things. I also started with Win 3.11 in early nineties – I have some vague memories of installing all the enigmatic TCP/IP components on DOS.

      As for HP printers I can relate. In the office we have a multi-functional printer / fax / scanner and one of its really cool features (if it works) is the scan-to-pdf function to a network share, given a proper user’s credentials had been configured. Due to some enigmatic combination of (allegedly) Windows Server 2008’s firewall settings / network profiles and probably a specific version of that HP printer software I also spent hours with debugging and sniffing.

      I had always amazed me that sometimes issues in rather down-to-earth small business offices turned into much detective work – as recently the combination of a switch and a telephone system that did not quite update their ARP caches as expected after IP address changes so the only workaround was to go for fixed IP addresses. It is even more challenging if you don’t own these boxes (as operations is outsourced) so you can poke them from the outside.

  2. Joseph Nebus says:

    I appreciate the review of just how networking works. I learned pretty much everything I know about networking in 1995, and have just added the miscellaneous new bit of information every couple of years when something penetrates my skull, so it’s a pretty unreliable mesh of trivia at this point.

    1. elkement says:

      I think this is how most of us have learned about networking :-) – in an organic, tinkering way!

  3. So … beyond the ‘do-it-because-you-can’ argument … where’s the utility in being able to monitor the traffic (incoming and outgoing) on your computer? Are there ‘things’ out there that migrate into our computers for purposes of monitoring our activity? Could your setup detect this? And, once detected isn’t it too late? Or, can you then seek and destroy? D

    1. elkement says:

      I have presented a rather innocuous example as I keep the more interesting / scarier stuff between and the vendors. If I see an unencrypted password for example, I call upon the vendor and re-consider using the thing at all or block its communication with the internet.

      Generally It is about reducing a surface for potential attacks of which you don’t know any details. I cringe when I see how vendors of heaters and other home automation connect customers’ stuff to the internet (for maintenance purposes), using weak or no passwords. It is shockingly easy to find open systems on the internet. The convergence of IT and other sorts networks and home automation created new risks. Architects of those systems are traditionally not security – aware at all, think the typical 0000 passwords for the expert level in heating controls. That’s not an issue as long as the stuff is physically protected.

      Then it is also about blocking some behavior that might be suspicious or questionable re privacy … in the same way we are wary about Facebook’s privacy settings or Google sending our GPS co-coordinates etc. If I buy a new printer or other device I seldom register it, connecting all my data and location with some unique ID of that device. In the same way I don’t want my DVD player to contact the vendor automatically. I

      The most common use of network monitoring is in troubleshooting. Even if nobody wants to hack you, ‘things’ can mess up something inadvertedly.

      1. I shouldn’t have asked … now you’ve got me worried! D

  4. M. Hatzel says:

    As part of an going experiment on innovation, you should now track the influence this playful experimenting exerts on future problems you encounter. :)

    1. elkement says:

      Probably I will not be able to watch Star Trek on my Blu-ray player anymore :-)

  5. I shared your post with a friend of mine who likes to tinker. His favorite proverb: If it’s stupid, but works, then it’s not stupid

    1. elkement says:

      Thanks a lot – yes, the tinkerers are my target audience here :-)
      Yes, the ‘solution’ as such is not very professional – but it works without much investment which was my goal here.

      1. Btw a Refrigerator that orders food for me depending on what I intend to cook would be amazing!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.