Spy on Yourself with tcpdump - Page 2
This shows the protocol is pop3s, rather than pop3, which is what we want. We can dig even deeper and view the login itself:
# tcpdump -X port 995
Readable enough to verify that anyone snooping on our connection cannot capture logins and passwords. This snippet plainly shows the login and password in a clear text login:
# tcpdump -X port 110
32:46(14) ack 70 win 5840 (DF)
Hubs Are BlabbermouthsIf your LAN is connected with hubs, which is so twentieth century, you can sniff traffic for any host on the network from the comfort of your own chair. Anyone on the LAN can simply name the host they wish to surveil:
# tcpdump dst host workstation5
Or specify the host's IP address. tcpdump automatically puts your NIC into promiscuous mode, but you won't see this with ifconfig. You'll see it in dmesg or /var/log/messages. Just for kicks, open two terminal windows. In one, run tail -f /var/log/messages. In the other, run tcpdump, then stop it. The first one will show something like
Nov 22 20:43:30 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:43:30 windbag kernel: device eth0 entered promiscuous mode
Nov 22 20:44:07 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:44:07 windbag kernel: device eth0 left promiscuous mode
Foiled By Switches
If your LAN is blessed with switches instead of hubs, you cannot do this. You must first put the switch in SPAN (Switch Port Analyzer) mode. This is also called "port mirroring." Whatever you call it, it puts the switch in broadcast mode just like a hub, with one major difference: all the LAN traffic is directed to a sniffer port, so only you, the godlike admin, can see the packets. Low-cost SOHO switches, such as those made by Linksys, D-Link, and Netgear, cannot do this; this is a feature of higher-priced products from Cisco and Extreme.
Come back next week to learn some nifty network diagnostic tricks with tcpdump, such as finding signs of evil activity, diagnosing network problems, and sending tcpdump's output to binary files suitable for parsing by utilities like Ethereal and Snort.
Unlike my columns, RFCs are less-than-riveting reading. But they contain complete information.
- rfc 793 describes the transmission control protocol (tcp) in exhaustive detail.
- rfc 1180 is an excellent tutorial.
- tcpdump home page