This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can wireshark be used to capture data being sent to a spoofed computer?

0

I have to think about cause and consequence so defense is really the best offense.

I am wondering... (theoretically) by spoofing computer x and by capturing its packets and data being sent (in and out to computer x)... can i (for example) capture a word document (.doc)... that computer Y has sent to the computer x?

Best regards.

asked 02 May '14, 07:19

philosopher's gravatar image

philosopher
10335
accept rate: 0%


One Answer:

1

You need to be able to capture the packets in the first place, so your point of capture needs to be somewhere where the packets pass by. If you can achieve that, and the documents are not transferred over an encrypted link, then you can extract them from the capture.

Problem with spoofing is that usually the answer packets do not make it back to you but get sent to the real computer instead, so it won't help you.

answered 02 May '14, 07:21

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

(in theory)

What if i use a vmware (computer Z) connected to the network.

computer y send a .pdf document... and i want to intercept this document

i spoof (change its mac address to the same as computer x) use vmware (windows xp os, 'computer z') to spoof this address and i use wireshark to receive the packets (and the document)?

(02 May '14, 07:28) philosopher
1

Well, in a local segment using ARP spoofing you can MITM the transfer and capture the documents, but that doesn't work anymore as soon as you try to do it outside your own layer 2 segment.

(02 May '14, 07:30) Jasper ♦♦

(theoretically) I was thinking in something like "Cain and Abel"... or some similiar software.

i assign a very close ip and then using these softwares (arp poisen a mac address) i start the poisoning...

computer x ip: 192.168.80.1 - "victim" (the one getting intercepted)

computer y ip: 192.168.80.2 - "sender" (the one who sends the document without any clue

computer z ip: 192.168.80.3 - vmware (the attacker)

(02 May '14, 07:39) philosopher
1

Please stop answering, instead use comments - I converted your last two answers for you ;-)

Sure, C&A can do this, as long as all nodes are in the same ethernet segment, as I already said.

(02 May '14, 07:49) Jasper ♦♦

I didn't notice your answer :)

Thank you very much for your help :D

If you ever need anything.. feel free to message me ;)

(02 May '14, 07:57) philosopher

If you're happy with the answers you get here, you should accept them as answered (checkmark button on the left next to an answer) ;-)

(02 May '14, 07:59) Jasper ♦♦
showing 5 of 6 show 1 more comments