3

I tried sniffing network traffic between 2 ip addresses. One is a HTTP server and other is the client accessing that site.

My aim is to sniff POST method form data. How do i do that? When i tried sniffing, only the packets which had source address of either my computer or the ips to which I have TCP connection established were getting sniffed.. which is not what i actually want.

My Comp: 192.168.1.1 Victim: 192.168.1.2 Site: 192.168.1.10

I have wireshark installed on 192.168.1.1. And I want tp sniff POST form traffic sent by 192.168.1.2 to site 192.168.1.10....

Your reply would be highly valued..

Abhijeet Rastogi
  • 236
  • 3
  • 20
  • while googling, i got this link. http://www.humanumbrella.com/2008/08/03/wireshark-quick-tutorial-useful-for-post-php-http-authentication/ But, as in comments, "JC" said that he didnt see any "POST /" traffic. Same is the problem with me. How do i solve that? – Abhijeet Rastogi Oct 10 '09 at 11:13

3 Answers3

3

These days it is almost guaranteed that you are in a switched network environment which also sounds like the condition you describe. You need to modify the switch to mirror traffic on the source or destination port to the port your machine is connected to. This will allow you to see the traffic you are looking for. If you have a typical consumer switch you are pretty much out of luck.

Well if you are feeling experimental you can also try to poision the arp cache of the switch: SANS article

EasyEcho
  • 754
  • 3
  • 5
2

You could configure a mirror (or "span") port on the switch. Almost every managed switch has such a feature.

If it's your own home network and there are only unmanaged switches, get a hub and connect the "victim",the router and your sniffing pc to it. The "bad" way to get the traffic in a switched environment is called "ARP spoofing". Google for ettercap if you need a tool to help you out.

Well... If it's not your own network and/or the person using the "victim" computer doesn't know and agree with what you're doing, just don't do it.

PEra
  • 2,825
  • 17
  • 14
1

As @EasyEcho said, the machines are connected with switch. Or make you might have forgotten to enable the promiscuous sniffing in the wireshark. Check whether "Capture packets in promiscuous mode" is enabled in the capture options.

Community
  • 1
  • "Capture packets in promiscuous mode" just tells your kernel to accept packets with a destination MAC different from it's own. It's needed, but it doesn't help getting traffic not destined for your PC. – PEra Oct 10 '09 at 11:59