got a brand new toy....

Posted by: Soap

got a brand new toy.... - 03/08/02 09:28 AM

I just d/l-ed a sniffer, and must say I am having alot of fun with it on my ethernet network.
I understand, if it's routed, the beginning of the packet is the source MAC to dst MAC with is the next router to
get to the desired dest IP specified.
ok now, how does it work on the internet, with ppl who don't have a network card, or who connect to the net with a modem for example.
What is the source MAC?? is it that 45-44-00-00 or smtg ...corespondance i get while scanning winBOXes...
And do we broadcast? Does everyone on the subnet use FF-FF-FF-FF-FF-FF destination or use the network's router MAC@??

And how would one go about sniffing on smtg else than ethernet? (Modem OR serial??(my fone connects to my laptop thru serial and uses its own modem to connect anyone ever tried sniffing there...?)

thx
Posted by: SilentRage

Re: got a brand new toy.... - 03/08/02 01:53 PM

/me tries to make sense of your questions...

(disclaimer: answers are given based upon my knowledge of TCP/IP and may be wrong if you use NETBIEU (sp?) or IPX as your ethernet protocol)

"I understand, if it's routed, the beginning of the packet is the source MAC to dst MAC with is the next router to get to the desired dest IP specified."

MAC addresses are mostly important when you're using hubs to route packets. You setup your network and you CAN program some hubs to route packets based upon MAC addresses. A MAC address should always be unique in a network setting so that they can represent that computer properly. MAC addresses are derived from the network card. Since sometimes you may get a conflict where more than one card has the same MAC address, depending on the card, you can change it. Some people believe that all MAC addresses are unique and cannot be changed. Don't listen to them. In a packet: SRC MAC = sending computer, DST MAC = destination computer.

"ok now, how does it work on the internet, with ppl who don't have a network card, or who connect to the net with a modem for example."

The internet doesn't use MAC addresses like that. Instead we've got the TCP/IP system. In that system, each computer is represented by a 32-bit number (IP). Routing is possible because there are routing tables that are passed around amongst routers to let them know where packets go. If a router doesn't know where a packet should go, they send it to a router that might know. Eventually the packet will make it to it's destination, or if it never gets there, a ICMP error response is sent back to the sender.

"What is the source MAC?? is it that 45-44-00-00 or smtg ...corespondance i get while scanning winBOXes..."

The source MAC is simply the address programmed into your network card.

For information about your ethernet card
type this into your command prompt:
ipconfig /all | more

The Physical Address is my MAC address for an adapter. It will look something like '00-C0-F0-78-30-CD'

The MAC address coming from a modem user will be a MAC address of the computer the user is dialed into.

"And do we broadcast?"

uh, broadcasting relates to UDP datagrams which gets sent across an entire submask.

"Does everyone on the subnet use FF-FF-FF-FF-FF-FF destination or use the network's router MAC@??"

For broadcasting? FF-FF-FF-FF-FF-FF always.

"And how would one go about sniffing on smtg else than ethernet?"

What is smtg? I just might be unfamiliar with the acronym. But to give a generalized response... There are two different kinds of sniffers. There's a 'Packet Sniffer' which will log data being sent to and from your computer. Then there's a 'Ethernet Sniffer' which is only useful on networks where you don't have switching and can therefor ALSO log information sent between other computers on that network.
Posted by: Gremelin

Re: got a brand new toy.... - 03/08/02 02:00 PM

dont dog ipx i use it on my network for gaming :x

and sr, i think he meant something :x
Posted by: SilentRage

Re: got a brand new toy.... - 03/08/02 04:51 PM

**** internet acronyms encouraging laziness across the internet. One day we'll have to take a class to learn the "Internet Language" so that you can freakin speak to people.

Anyway, as to that last question which I NOW UNDERSTAND...

For Modem users:
Get a Packet Sniffer - not a Ethernet sniffer. I answered your question by chance, but now you have a more definate to-the-point answer.

For ANY NETWORK ethernet or otherwise
Ethernet Sniffer. Yes even NETBIEU and IPX SHOULD be supported by your ethernet sniffer in analysis. Otherwise, you SHOULD at least see the data in the raw.
Posted by: Soap

Re: got a brand new toy.... - 03/18/02 08:37 AM

ok thanks for the info...
ERm, I realise I think I made a mistake because I sniffed Only ethernet packets... maybe if I sniff Modem PPP connection packets, I'll only get the IP header (and dat) without the Ethernet header is that right?
And about the MAC addresses for winboxes I can't rember I exactly because wait....
maybe I'll find someone on my local network with a winPC
[...]
got it !
44:45:53:54:00:00
wut does that mean?? It can't be used to route packets...so WTF??
And on an XP however it's
00-53-45-00-00-00
which is (a littlke diff...) but stays noticeable against real ethernet cards MAC@

l8s

I'll be goooogling to "packets sniffers"....
Posted by: SilentRage

Re: got a brand new toy.... - 03/18/02 01:18 PM

00-53-45-00-00-00 00-53-45-00-00-00

Those could be a MAC addresses yes. MAC addresses are always 6 bytes - and that up there is the standard format you read them.

I think the difference between a standard packet sniffer and a ethernet sniffer is how they're implimented. I believe a standard packet sniffer will ALWAYS sniff the packets going to your machine whether you're on a modem or ethernet card. You just gotta bind the packet sniffer to the correct adapter that you'll be recieving data on. But you need a ethernet sniffer to read data on a network that ISN'T directed to your computer. While the packet sniffer hooks an adapter, the ethernet sniffer may go a lower level and hook the ethernet card itself.

I'm hypothesizing here. You really should go look this stuff up and learn for yourself. Other people may tell ya wrong.