Network Traffic

Ettercap

A MiTM tool:

//Launch GUI #sudo ettercap -G

//Sniff options are Unified - snif it all, and Bridged - only look at traffic between 2 nics

1. Select your interface

2. Host -> Scan for hosts //may take a while

3. Host -> Host list , from here we pick the victims and add them as targets //keep this minimal to not dos ourselves

4. MiTM -> (select attack)//ARP Poison, ICMP Redirect, Port Stealing, DHCP Spoof

WireShark

Wireshark libs: (libpcap)(winpcap). Capture filters can be used to only accept packets that fit the filter and display filters can be used to section the captured data.

Wire shark filter syntax: only grab traffic for the host on port 4444

Grab traffic for the cidr: net 10.11.1.0/24 -he also disabled name resolution in the Capture Options for both MAC and Transport resolutions to make things easy to read DISPLAY FILTERS: tcp.port == 21 only show ftp traffic then you can rt-click an event and follow the tcp stream to see the full interaction.