- Wireshark – find source of traffic
- Capsa Network Analyzer – Graphical analysis (maybe good for source of DOS attack)
- SMAC – For Mac spoofing (In sniffing lab)
- Cain for MITM (In sniffing lab)
- Detect ARP Poisioning – Wireshark
- Detect ARP Poisioning – Xarp (Can display entire network worth running)
From windows box
A. Open Wireshark
B. Tcp.port ==(ip address)
E. Filter HTTP traffic by issuing http.request.method == “POST” syntax in the Filter field
F. Expand the HTML Form URL Encoded heading in the packet details pane
G. Wireshark displays the password entered by the user in plain text.
Capture REMOTE Packets
In Sniffing Lab
CAPSA Network Analyzer
From windows box
A. Open Colasoft Capsa
B. Load Capture
C. The Summary tab provides full general analysis and statistical information of the selected node in the Node Explorer window
D. The Protocol tab lists statistics of all protocols used in network the transactions hierarchically. Physical Endpoints and IP Endpoints for the selected ports are displayed as well.
E. The MAC Endpoint tab lists statistics of all MAC addresses that communicate in the network hierarchically.
F. The IP Endpoint tab displays statistics of all IP addresses communicating in the Network.
On the IP Endpoint tab, you can easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm in your network.
G. The MAC Conversation tab presents the conversations between two MAC addresses.
H. The IP Conversation tab presents IP conversations between pairs of nodes.
The lower pane of the IP Conversation section offers UDP and TCP conversation, which you can drill down to analyze. Double-click a conversation in the IP Conversation list to view the full analysis of packets between two IPs
I. The UDP Conversation tab dynamically presents the real-time status of UDP conversations between two nodes.
J. In the Matrix tab, you can view the nodes communicating in the network by graphically connecting them with lines.
The weight of eachline indicates the volume of traffic between nodes arranged in an extensive ellipse.
You can easily navigate and shift between global statistics and details of specific network nodes by switching the corresponding nodes in the Node Explorer window.
K. The Packet tab provides the original information for any packet. Double-click a packet to view it full analysis information of packet decode. The Packet decode consists of two major views: Hex View and Decode
L. The Report tab provides statistics reports from the global network to a specific network node.
You can click the respective hyperlinks for information, or you can scroll down to view a complete detailed report.
DETECT ARP Poisioning
From Kali box
A. From wireshark - click Edit from the menu bar and select Preferences…
B. The Wireshark Preferences window appears; expand the Protocols node
C. Select the ARP/RARP node. Ensure that Detect ARP request storms and Detect duplicate IP address configuration are checked. Click OK.
D. Either capture new traffic or analyze packet capture.
E. Click Analyze in the menu bar, and select Expert Information.
F. keep the Expert Information window above the Wireshark window, so you can view the packet number and the Packet details section. Observe the warnings highlighted in yellow,
The yellow warnings indicate that duplicate IP addresses have been detected at one MAC address.
DETECT ARP Attacks with Xarp
From Windows box
A. Open XArp – set security to aggressive – View alerts to see source and destination of attacks.