Wireless traffic sniffing question

[404]

I have a question about sniffing wireless traffic and I haven't really figured out one thing, despite reading manuals and howto's online. Can you sniff for certain strings (like plain text POP passwords, for instance with dsniff or tcpdump) directly on the packets you pick up, without actually being on the network? As far as I understand, these various sniffing tools recquire you to to connect to the network, which would mean you're not passively sniffing anymore and gave up your stealth.

Edit: I'm talking about traffic on non-WEP/WAP protected networks.

[Kateweb]

most requier to be on the network, and most passwords will be encrypted so even if you have the string your not going to get the password. you should take a look at the wiki in season 1 thay did a good episode on this the number escapes me at the moment and it's almost 2AM. after checking that out check out Auditor. but your still not going to find any encripted passwords ,and I'm not going to tell you how to get the other ones untill I know that your just playing in your own lab.

[404]

This question is not about passwords or auditing a network (mine or otherwise), but simply if packets can directly be sniffed for certain strings, without actually being part of the network.

In other words: if I send an unencrypted e-mail while using an open hotspot in the city, does that mean that there are packets flying through the air for everyone to pick up, containing the text of my email?

[cooper]

I would say "yes", but should also stress that I have no personal experience with this.

I know some tools require you to be on the network before you can work with anything inside the network, but strictly speaking there should be no reason for you to be on a wireless network in order to sniff it.

You won't be undetectable of course (something about a receiving-only device being detectable in spite of its passive network presence. DeGrijze can probably explain that one) but they shouldn't be able to notice you on the network as such.

[l0gic]

In other words: if I send an unencrypted e-mail while using an open hotspot in the city, does that mean that there are packets flying through the air for everyone to pick up, containing the text of my email?

That's the nature of a broadcast medium. Assuming you have a wireless adapter configured to listen promiscuously on the correct channel, you can receive all traffic traversing the WLAN without so much as associating to an access point.

[404]

Thanks for the replies. l0gic, that is how I understand it too, but I couldn't find a sniffing tool that does just that. With tools like ngrep and tcpdump you sniff packets pretty much the same way as you would on a wired network. Can you grep on any random packet your antenna picks up directly?

[Kateweb]

Ethereal is handy, but like othes is will list every thing it pics up like on a wired network. Thats what snifers do shows you ever random packet you would have to filter out the ones you do/not want to see. I have also plaed with Kismet and for that it shows a lot of what is around you it's a linux tool so you can't use it on windows. All scaner do prety much the same thing show you whats flying thro the air.

[nico]

Ethereal is handy, but like othes is will list every thing it pics up like on a wired network. Thats what snifers do shows you ever random packet you would have to filter out the ones you do/not want to see. I have also plaed with Kismet and for that it shows a lot of what is around you it's a linux tool so you can't use it on windows. All scaner do prety much the same thing show you whats flying thro the air.

You should go with wireshark (It' how ethereal is named now).

It is at least quite easy to sort by IP address of type of packet.

It helps you read a packet too.

You also can read packets in monitor mode, so you actually don't need to be connected to the wireless network. But you do need at least the key .

You should give it a try. It's a nice tool.

[404]

Ethereal is handy, but like othes is will list every thing it pics up like on a wired network. Thats what snifers do shows you ever random packet you would have to filter out the ones you do/not want to see. I have also plaed with Kismet and for that it shows a lot of what is around you it's a linux tool so you can't use it on windows. All scaner do prety much the same thing show you whats flying thro the air.

You should go with wireshark (It' how ethereal is named now).

It is at least quite easy to sort by IP address of type of packet.

It helps you read a packet too.

You also can read packets in monitor mode, so you actually don't need to be connected to the wireless network. But you do need at least the key .

You should give it a try. It's a nice tool.

Thanks Nico, that was the info I was after. The reason I hadn't looked into Wireshark was that it won't run on the specific platform I'm testing (Zaurus SL-5500 with Debian-like Openzaurus). Apparently you can get it to work with some tweaking though.

The reason I started this thread was because this seems like such an obvious feature, I wondered why there weren't any sniffing tools around that let you just grep on anything the interface picks up.