How to set up Wireshark with machine-in-the-middle PC?

Viewing 19 reply threads
  • Author
    Posts
    • #5918
      macattack
      Participant

      I’m not skilled in networking, but I have some of the basics.  I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router.  I have a separate Windows machine I can use for this.  From what I’ve read here:

      http://wiki.wireshark.org/CaptureSetup/Ethernet

      I need another NIC card in my Windows machine  in order to complete the setup.  Thing is, I don’t really know how to set it up in Wireshark.  It would be great if someone held my hand and stepped it out, but this may be unrealistic.  If so, can someone point me on the direction to learn how to do this?  I’ve been able to observe the traffic on the Windows machine Wireshark is installed on, but not the Mac.

      In case your curious, I believe I may have malware on my Mac connecting to the network, and I want to monitor the traffic to determine if my hunch is correct.

      Thanks in advance.

    • #37063
      ziggy_567
      Participant

      Why don’t you install Wireshark on your Macintosh? That would be where I began….

    • #37064
      macattack
      Participant

      In my searches, I read somewhere that I should use a separate machine for ‘sniffing’ the packets.

      Perhaps this is due to the possibility of malicious software interfering with the results?  I don’t know why it was suggested.

      Incidentally, I did install Wireshark on my Mac…but apparently it’s quite difficult to get set up properly with the correct permissions.  I read a few blog posts on it and even they seemed cryptic.

      Abou that time I read the suggestion for a separate machine, and Wireshark works beautifully on my Windows PC, so I thought I’d go with that setup instead.

    • #37065
      eth3real
      Participant

      I would also start with getting Wireshark to work on the Mac. But, if you put both machines on a network hub (not a switch), you should be able sniff the packets without two NICs on your PC.

    • #37066
      ziggy_567
      Participant

      What type of router/switch are we talking about?

      If you have Cisco gear, it’s pretty easy to setup a spanning port. If your talking about a Linksys/D-Link (or similiar) router, its a bit more difficult/less reliable.

      Do some searches on arp spoofing. You’ll find a ton of “how-to’s”. If you don’t want to do arp spoofing, you can route your traffic from the Mac to your Windows box, but I do believe you’ll need multiple NIC’s on the Windows box at that point.

    • #37067
      rattis
      Participant

      I think the first question, out of all the ways you could capture the data, why you want to do a man-in-the-middle?

      this link will tell you how to bridge the connection, after you get the second wireless card.

      http://www.windowsnetworking.com/articles_tutorials/wxpbrdge.html

      Other ways of doing what you want, which will be better in my opinion:

      – Use a hub (not a switch), which are harder to get these days, but can be done.

      – build a network tap (I like this option the most). Little bit of physical hardware hacking and you can get some neat options.

      When you do this, other than the M-I-T-M, you’ll probably not want to configure your network interface card. It keeps traffic like arp and the like for the card, out of the capture. Just set the card to unconfigured and let it capture all the traffic coming to it. Promiscuous mode will probably work better.

    • #37068
      macattack
      Participant

      Thanks for all the advice.  The link to the bridge setup is very helpful.

      Can someone recommend a good hub to purchase online?  Preferably a lower-cost one.  Newegg, Amazon, Etc.

    • #37069
      prats84
      Participant

      There are few ways of doing so as already described by many guys
      Like getting a Hub
      Arpspoof
      Span port — high end routers.

      But much before all that you should learn about switching and routing at the least how they work and why a Hub is required to sniff out things. The best learning in hacking is not to just know how to use tools but to know how things work and then how the tools works.

      Just a little addition of my experience

    • #37070
      macattack
      Participant

      I got Wireshark running (finally) on my Mac.

      Sadly, I’m left with more questions than answers.

      I’ve been looking for rare flashes on my router coming from my mac that don’t show up on my app firewall reporting tool (Little Snitch).  When it occurred with wireshark, I get a lot of black with red text going to Google of all places:

      1 0.000000000 209.85.231.148 192.168.1.2 TCP http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

      2 0.000099000 192.168.1.2 209.85.231.148 TCP 49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

      4 0.166031000 192.168.1.2 72.14.203.102 TCP 49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

      5 1.733916000 209.85.231.148 192.168.1.2 TCP https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

      6 1.733920000 209.85.231.148 192.168.1.2 TLSv1 [TCP Out-Of-Order] Application Data

      7 1.733924000 209.85.231.148 192.168.1.2 TLSv1 [TCP Out-Of-Order] Application Data

      8 1.734040000 192.168.1.2 209.85.231.148 TCP 49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

      9 1.734112000 192.168.1.2 209.85.231.148 TCP 49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

      10 1.734156000 192.168.1.2 209.85.231.148 TCP 49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

      11 1.735159000 192.168.1.2 209.85.231.148 TCP 49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

      All are red except 1 & 3 (green) and 5 (gray).

      Does this seem normal or is it worth looking into more?

    • #37071
      rattis
      Participant

      I don’t know what the colors mean. Never have. 🙂

      But if you click the packet you can drill down into the details more and see.

      I don’t know about Macs, but on Linux and Windows you can use tools like Netackview and TPCview to see what is causing the connections in the background.

      netstat might do the job from a command line window.

      *edit
      Not having a mac, I’m not familiar with little snitch, not sure if it has the stream program feature, but even then try netstat -tpan from the cli.

      red and black wireshark:
      http://www.networkworld.com/community/node/45655

    • #37072
      sil
      Participant

      Normal traffic but you’re not giving enough for anyone to go by. You’re entire network capture simply shows a connection between your machine and Google so here is the breakdown of what occurred:

      1  0.000000000  209.85.231.148  192.168.1.2  TCP  http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

      Google is attempting to close the connection to Google via the web… (FIN, ACK)

      2  0.000099000  192.168.1.2  209.85.231.148  TCP  49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

      Your machine is still trying to connect to Google however, since no SYN is seen, solely another ACK, Google’s FIN will never timeout and the connection won’t close.

      4  0.166031000  192.168.1.2  72.14.203.102  TCP  49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

      Your machine is still trying to connect to Google as no SYN is seen, solely another ACK… same as above

      5  1.733916000  209.85.231.148  192.168.1.2  TCP  https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

      Google is waiting for an HTTPS session to close (maybe GMail or Google talk, one of them) this is evident by the FIN, ACK packet

      6  1.733920000  209.85.231.148  192.168.1.2  TLSv1  [TCP Out-Of-Order] Application Data

      Google is telling you that you that there is likely packet loss as your packets are arriving “Out of order

      7  1.733924000  209.85.231.148  192.168.1.2  TLSv1  [TCP Out-Of-Order] Application Data

      Google is telling you that you that there is likely packet loss as your packets are arriving “Out of order”

      8  1.734040000  192.168.1.2  209.85.231.148  TCP  49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

      Your machine is still trying to connect to Google via https

      9  1.734112000  192.168.1.2  209.85.231.148  TCP  49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

      Your machine is still trying to connect to Google via https

      10  1.734156000  192.168.1.2  209.85.231.148  TCP  49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

      Your machine is still trying to connect to Google via https

      11  1.735159000  192.168.1.2  209.85.231.148  TCP  49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

      Your machine is trying to close the connection to Google.

      Why is your machine trying to send such big windows sizes? In your terminal just type: sudo sysctl -w net.inet.tcp.rfc1323=1

      http://en.wikipedia.org/wiki/TCP_window_scale_option

    • #37073
      macattack
      Participant

      “…you’re not giving enough for anyone to go by.”

      I was hoping it was enough info to ensure data wasn’t being transmitted to a malicious server, possibly through a keylogger or something else.  Does the info provided allow to confirm that isn’t happening?

      Great description of the traffic BTW.  Thank you very much.

      “maybe GMail or Google talk”
      Was encrypted search (Beta).  Just left the window open and waited for the led light to flash on my router without Little Snitch reporting it.  Then stopped the capture and examined it.

      “Why is your machine trying to send such big windows sizes?”

      I have no idea.  This is fresh install of Snow Leopard (on a new machine).  I’m guessing it’s the default for Chrome?

      On the CL
      sysctl net.inet.tcp.rfc1323
      Returns:
      net.inet.tcp.rfc1323: 1

      I will sudo the command though.

      “try netstat -tpan from the cli.”
      Responds with:
      netstat: an: unknown or uninstrumented protocol

      “But if you click the packet you can drill down into the details more and see.”

      The only thing interesting I saw was this:
      Header checksum: 0x000 Incorrect, should be 0x1da9 (or similar)
      This was basically the same for 2, 4, 8, 9, 10, and 11.

    • #37074
      sil
      Participant

      @macattack wrote:

      I was hoping it was enough info to ensure data wasn’t being transmitted to a malicious server, possibly through a keylogger or something else.  Does the info provided allow to confirm that isn’t happening?

      There’s no definitive way to determine this because of TLS for one, secondly, you didn’t give enough data. If you think that “oh, its only Google…” then you’re in for a surprise, How do you know someone didn’t compromise a machine at Google and client side you? (http://threatpost.com/en_us/blogs/inside-aurora-google-attack-malware-011910) There is no definitive way to determine WHAT data inside of encrypted packets were sent. The LIKELIHOOD of it being something malicious is altogether different. What I can tell is that it’s just a funky connection with some packet loss.

    • #37075
      macattack
      Participant

      So perhaps I should log into google via non-https, wait for the LED flash, and check the packets?

      Still wouldn’t guarantee there isn’t a keylogger or something else.

      Anti-virus isn’t foolproof to find or remove any, either.

      I wish there was a way to ensure there are no keyloggers on a computer.  What do organizations do to guarantee they don’t have this kind of problem?

      Is there a service that can inspect and guarantee removal?

      I’m reaching here I guess.

    • #37076
      sil
      Participant

      You seemed to be confused about what a keylogger typically does. Most keyloggers record your keystrokes to a FILE located ON your machine and then transfer that file elsewhere. Trying to dissect every single connection that your machine makes would drive you insane. As a test, pick a date that you KNOW you will NOT be using your machine. On that date, start up tcpdump or Wireshark to catch what is going on… Let it run all day if possible, then try making sense of it afterwards. My suggestions, use Netwitness Investigator + Wireshark.

      One would be surprised to see the amount of connections coming in and out of a machine without any intervention. If you ‘assume’ something odd is occurring, throw on Snort as an EXTRUSION detection system, fire up SGUIL. Invert the rules so you can see and log what occurs on outbound connections. This is your best bet to see any truly anomalous connections.

    • #37077
      eth3real
      Participant

      @macattack wrote:

      I wish there was a way to ensure there are no keyloggers on a computer.  What do organizations do to guarantee they don’t have this kind of problem?

      Is there a service that can inspect and guarantee removal?

      Is there something keeping you from formatting the drive and reinstalling the operating system? That should have been your first choice if you think there is malware on your system. That is the only guaranteed way to remove a potential threat.

    • #37078
      eth3real
      Participant

      @macattack wrote:

      I’ve been looking for rare flashes on my router coming from my mac that don’t show up on my app firewall reporting tool (Little Snitch).

      A few questions about this:

      • Does “Little Snitch” periodically check for updates?
      • Is it set to allow your web browser permanent access to the internet?
      • If so, is the browser periodically checking for updates?
      • If you still have browser open, could it be refreshing websites?
      • Could there be any other Google products installed, which you have allowed access through “Little Snitch”, that might be checking for updates?

    • #37079
      rattis
      Participant

      if you really want an idea of what your box is doing. Close all the apps you have running (except wireshark) and let it run over night.

      Depending WHAT on your router is flashing, it could just be keep alives or some other background noise to keep your system up to date.

      Running wireshark over night will give you a lot of data to look at, but if you want to learn how to do analysis you’ll need the practice anyway.

    • #37080
      macattack
      Participant

      “Does “Little Snitch” periodically check for updates”
      Yes, but it’s auto-updates are turned off.

      “Is it set to allow your web browser permanent access to the internet”
      Yes but it reports every time the browser accesses and where it connects.

      “Running wireshark over night…”
      Will try out tonight.  And will look into Snort and sgutil.

      Thanks again

    • #37081
      WCNA
      Participant

      This thread is old but I’ve got to start somewhere and maybe this will help someone else.

      “I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router.”

      As another commenter suggested, the way to go in your situation is to set up Wireshark on your machine and then choose the interface you want to capture traffic on. While it may be possible for malware to mess with Wireshark, it’s highly unlikely as black hats are usually looking for a different type of user to abuse. As the saying goes, packets don’t lie.

      “What type of router/switch are we talking about?”

      Most managed switches have port monitoring. A hub is another route but there are quite a few hubs out there that are actually switches. The proper way would be to buy an aggregating tap like netoptics.com. Personally, I use the small mikrotik rb750 as a tap. You can build a tap but it will only be half-duplex.

      “I get a lot of black with red text…”

      Always bad. The default color rules have some bad traffic labeled as black/red. You can always tell what a coloring rule is based on by looking at the bottom of the list in the frame section or clicking on the coloring rules button. If you see striping in a trace, it is almost always bad. The trace you provided isn’t large enough to get a full picture of what is going on with your machine. Use the display filters to get a clearer picture. If you don’t know how, get the wireshark book or get the training at chappellu.com. I took her all-access course and it taught me quite a lot about the packet level and protocols. Wireshark is easy to use but packet tracing and deciphering what you see in front of you is an art form. It’s easy to get lost with all that data but the packets will tell you absolutely what is going on, if you can figure it out. Packets don’t lie. Packet 5 has a window size of 128 and you have essentially hit a zero window and will start dropping packets, hence the 2 out-of-order packets that follow it.

Viewing 19 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?