Let's say WireShark is installed on computer A. And let's say I am looking at a Youtube video on the computer B.
Can WireShark see what computer B is doing?
-
If you're on a switched network (which is highly likely), and unless computer A is serving as the default route for computer B (unlikely), then no, computer A won't be able to see packets destined for computer B.
Farseeker : Bring back the days of the 10Mb hub for promiscuous sniffing!ErikA : Indeed! Of course SPAN normally takes care of that just fine. :)sysadmin1138 : The network guys at $oldJob kept a few 10Mb hubs around for easy sniffing. Worked fine for desktop problems, though perhaps not as well these days.sleske : @sysadmin1138: Yes, I've heard of that trick too. Only problem is, it won't really help you with Gigabit Ethernet over fiber...sysadmin1138 : @sleske Indeed, indeed... nor did it help with the 10Mb fibre connections they had at the time.From ErikA -
It depends on the network topology and whether or not promiscuous mode is supported. Generally you won't be able to see packets unless they're being routed through the same switch as the computer you're using to sniff.
ErikA : Negative. Even computers on the same switch won't see unicast packets destined for anywhere but themselves unless ARP spoofing is involved, which, as sysadmin1138 states, is quite evil.From bemace -
In general, no, Wireshark can't sense that traffic. ErikA describes why.
However... if your network supports it, the network itself can show Computer A the traffic for Computer B, and from there Wireshark can grab it. There are several ways of getting it there.
- Same Switch, good method If both computers are on the same network switch, and the switch is managed, it is probably possible to configure it to span/mirror/monitor (the terms change with vendor) traffic for Computer B's port onto Computer A's port. That will allow Wireshark on Computer A to see the traffic.
- Same Switch, evil method If both computers are on the same network switch, and the switch is not terribly secure, it is possible to perform what's known as a ARP Spoofing attack. Computer A issues an ARP packet telling the subnet that it is actually the gateway address, even though it isn't. Clients that accept the ARP packet rewrite their IP:MAC-Address lookup table with the bad address in it, and proceed to send all off-subnet traffic to Computer B. For this to work, Computer B then has to send it off to the real gateway. This doesn't work on all switches, and some network stacks reject this kind of thing.
- Same Subnet, evil method If the router isn't terribly secure either, the ARP Spoofing attack will work for an entire subnet!
- Different Subnet entirely If Computer B is on a different subnet entirely, the only way this works is if the router core support a remote monitoring solution. Again, the names vary, and the network topology has to be just right. But it is possible.
ARP Spoofing is the only way for a computer with no special network privileges to sniff another network node's traffic, and that depends on whether or not the network switch defends against that kind of action. Simply installing Wireshark is not enough, some other action needs to be taken. Otherwise, it'll only happen when the network is explicitly configured to let it happen.
ErikA : Good explanation. It's late here and I didn't have the patience to type all that out. :)jweyrich : And of course, sniffers can capture traffic in non-switched networks (e.g: hub).Pieter : What about WiFi?From sysadmin1138 -
As Farseeker alluded to, you used to be able to. Ten years ago, many networks used hubs, which were like switches but dumber, in that they reflected every packet onto every port instead of figuring out where each packet needed to go and sending it only there. Before that, some networks used coaxial ethernet with a common cable (and no hub or switch) that every station broadcast on and listened to.
In both of the above situations, a machine with Ethereal (old name for Wireshark) could indeed snoop on the whole network.
Although this situation applies to very few networks these days, I mention it for context and to understand why the idea of using Wireshark to snoop on others is still in many people's heads.
Pete
From Pete
0 comments:
Post a Comment