Frontpage
Forums
Tutorials
Members
Calendar
Subscription
Donate
Links
Contact 
Help
Are there any programs out there that allow you to intercept network traffic, change it, and resend it to where it needs to go? I'm just wondering, and no I'm not planning on using this to intercept registration checks, spoof my uptime, or anything else. I simply want to see what kind of data my program is sending out. Thanks for any help.
Page 1 of 1
Intercept network traffic?
Rate Topic:
Back to top
#2
- MSFN SuperB
-
- Group: Members
- Posts: 5,070
- Joined: 13-October 03
Posted 15 March 2004 - 12:23 AM
Datalore, on Mar 13 2004, 04:22 PM, said:
registration checks, spoof my uptime, or anything else.
lol I see u've thought of those
(i don't have an answer...)
#3
Posted 15 March 2004 - 03:55 AM
Intercepting network traffic is done by ethernet analysers. These range from the open source to the damned expensive.
Open source is Ethereal then there is Ultra Network Sniffer, through masses of commercial apps to a dedicated box called a Dolch at £20,000+
All these apps will capture packets and frames and break them into constituent parts. Some will do the analysis for you (such as Expert mode in Network Associates Sniffer Pro) Others will leave you to interpret the data.
To understand the results is the hardest bit, you will need to understand IP and Ethernet 802.3 to a pretty extreme level. The expert in Sniffer and similar utils in Packeteer make it simpler to interpret but many leave it to an in depth knowledge of the protocols involved.
Common port numbers will be easy DNS, http, ftp WINS, rpc. SMB etc The less common ports will be more difficult to interpret may rely on reference to IANA tables.
As for changing the data and resending, you cannot stop a packet, adjust the payload, SA or DA and resend with most analysers, but you can capture and resend laterthough this utility leave the data unchanged it is used mainly for testing bandwidth. Changing the data and or protocol specific addresses and parameters for a simple IP packet is no easy task. There are issues with checksums etc that makes getting the destination machine to accept the changed data extremely complex. I am pretty sure some hacker has nailed this one at least in part, but since ethernet analysers are used for network support analysis few of them will do this.
Finally the placement of analysers is critical. Having one hang off a free network port on a switch will ordinarily show only broadcast traffic. If the switch is high end and managed it may have SPAN (in cisco terms) or Roving port analysis (3com) or similar technology so that traffic from the port the target device is connected to is mirrored to another port with the analyser connected. The analyser then receives all incoming and outgoing traffic from the port being monitored. If your switch has no such feature then dropping the speed to half duplex and using a real hub/repeater is the only alternative.
So to sum up, if you want network traffic analysis get an analyser to change the data and resend look elsewhere.
If money is no object and switches support it you could also use RMON.
Open source is Ethereal then there is Ultra Network Sniffer, through masses of commercial apps to a dedicated box called a Dolch at £20,000+
All these apps will capture packets and frames and break them into constituent parts. Some will do the analysis for you (such as Expert mode in Network Associates Sniffer Pro) Others will leave you to interpret the data.
To understand the results is the hardest bit, you will need to understand IP and Ethernet 802.3 to a pretty extreme level. The expert in Sniffer and similar utils in Packeteer make it simpler to interpret but many leave it to an in depth knowledge of the protocols involved.
Common port numbers will be easy DNS, http, ftp WINS, rpc. SMB etc The less common ports will be more difficult to interpret may rely on reference to IANA tables.
As for changing the data and resending, you cannot stop a packet, adjust the payload, SA or DA and resend with most analysers, but you can capture and resend laterthough this utility leave the data unchanged it is used mainly for testing bandwidth. Changing the data and or protocol specific addresses and parameters for a simple IP packet is no easy task. There are issues with checksums etc that makes getting the destination machine to accept the changed data extremely complex. I am pretty sure some hacker has nailed this one at least in part, but since ethernet analysers are used for network support analysis few of them will do this.
Finally the placement of analysers is critical. Having one hang off a free network port on a switch will ordinarily show only broadcast traffic. If the switch is high end and managed it may have SPAN (in cisco terms) or Roving port analysis (3com) or similar technology so that traffic from the port the target device is connected to is mirrored to another port with the analyser connected. The analyser then receives all incoming and outgoing traffic from the port being monitored. If your switch has no such feature then dropping the speed to half duplex and using a real hub/repeater is the only alternative.
So to sum up, if you want network traffic analysis get an analyser to change the data and resend look elsewhere.
If money is no object and switches support it you could also use RMON.
#4
- Friend of MSFN
-
- Group: Members
- Posts: 852
- Joined: 05-October 03
Posted 15 March 2004 - 03:34 PM
Wow, thanks for the extremely informational post, timregester! That just flew right over my head, but I picked up on the words "expensive" and "next to impossible" 
So much for spoofing my uptime err, uh, what was my original excuse? Something about analyzing my own apps? Whatever... 
So much for
#5
- MSFN SuperB
-
- Group: Members
- Posts: 5,070
- Joined: 13-October 03
Posted 15 March 2004 - 05:45 PM
hahah
those words can express much..
those words can express much..
Share this topic:
Page 1 of 1