Results 1 to 7 of 7

Thread: Problem with dsniff on loopback (driftnet works fine)

  1. #1
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    3

    Default Problem with dsniff on loopback (driftnet works fine)

    Hi all,

    I'm having problems using dsniff, urlsnarf, msgsnarf etc on BT3 final.

    Here is what I have done: -

    1. Captured packets with Kismet (locked onto a specific wireless channel)
    2. Decrypted them: "airdecap-ng -b (AP address) -w (WEP key) Kismet.dump"
    3. Started urlsnarf listening on loopback: "urlsnarf -i lo"
    4. Started driftnet listening on loopback: "driftnet -i lo"
    5. Replayed the pakets on loopback: "tcpreplay -R Kismet-dec.dump -i lo"

    Driftnet works fine, but I can't get urlsnarf (and dsniff etc) working at all.

    I'm using the versions in BT3 final (dsniff, urlsnarf 2.4 & tcpreplay 2.3.5 & driftnet 0.1.6)

    I've seen similar threads but not exactly the same, and no solution. Has anybody got any ideas?

    Thanks.

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Try lowering the rate at which you replay the dump file: I find that dsniff have trouble picking up the appropriate information when broadcasting at too high a rate.
    -Monkeys are like nature's humans.

  3. #3
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    3

    Default

    Thanks.

    I've just tried without the "-R" (replay as fast as possible) but still no joy.

    If I have a window running "tcpdump -i lo", I can see www hosts....

    Any other ideas?

    Cheers.

  4. #4
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Have you tried manually specifying a lower rate using the -r 1 option for example, as I am not sure what speed tcpreplay uses by default?

    Also as far as I remember mainly dsniff have trouble working with high speeds, not urlsnarf. I just tried out urlsnarf on my BT3F and it is working perfectly even using the -R option in tcpreplay. Therefore I have to ask whether you are 100 % certain that the dump file contains any URL information?
    -Monkeys are like nature's humans.

  5. #5
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    3

    Default

    Hi,

    Thanks again but yes, I tried that. It looks like the default behaviour of tcpreplay is to replay at the speed it was captured.

    Here are my results: -

    No speed parameter passed: -
    Code:
    tcpreplay Kismet.dump -i lo
    40625.9 bytes/sec 0.31 megabits/sec 30 packets/sec
    Rate=1 : -
    Code:
    tcpreplay -r 1 Kismet.dump -i lo
    131084.8 bytes/sec 1.00 megabits/sec 99 packets/sec
    As fast as possible: -
    Code:
    tcpreplay -R Kismet.dump -i lo
    129479165.2 bytes/sec 987.85 megabits/sec 9860 packets/sec
    Any other ideas? All other threads seem to say that tcpreplay 2.3.5 works fine via loopback. Thinking about it, tcpdump seems to show the data fine so perhaps its the dsniff tools...

    I seem to remember an older (or patched) version of the dsniff tools could read directly from a file?

  6. #6
    Just burned his ISO
    Join Date
    May 2006
    Posts
    3

    Default

    from memory tcpreplay will go as fast as it possibly can unless you tell it otherwise

  7. #7
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by incubii View Post
    from memory tcpreplay will go as fast as it possibly can unless you tell it otherwise
    No it will only run at MAX speed if you use the -R switch, as Finster's previous post clearly shows.
    -Monkeys are like nature's humans.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •