How wireshark capture packets in LAN without arpspoof?












3















I created a lab environment which has Windows 7 and Kali Linux in VMware.



In Kali Linux, I opened Wireshark and started to listen to traffic on eth0. After that, in my Windows 7 machine, I opened an HTTP site and entered some login information to that site.



Wireshark was able to capture that login information.



How does Wireshark capture those packets? Windows 7 sent its packets to the router but Wireshark was able to capture them.



I didn't use arpspoof for MITM attack so I didn't trick Windows 7 into thinking the Kali machine was the gateway nor gateway as kali machine is windows 7. So my guess was Wireshark shouldn't capture those packets but it did capture them anyway.



Anybody can tell me why?






wireshark arp-spoofing packet







share|improve this question





























    3















    I created a lab environment which has Windows 7 and Kali Linux in VMware.



    In Kali Linux, I opened Wireshark and started to listen to traffic on eth0. After that, in my Windows 7 machine, I opened an HTTP site and entered some login information to that site.



    Wireshark was able to capture that login information.



    How does Wireshark capture those packets? Windows 7 sent its packets to the router but Wireshark was able to capture them.



    I didn't use arpspoof for MITM attack so I didn't trick Windows 7 into thinking the Kali machine was the gateway nor gateway as kali machine is windows 7. So my guess was Wireshark shouldn't capture those packets but it did capture them anyway.



    Anybody can tell me why?






    wireshark arp-spoofing packet







    share|improve this question



























      3












      3








      3








      I created a lab environment which has Windows 7 and Kali Linux in VMware.



      In Kali Linux, I opened Wireshark and started to listen to traffic on eth0. After that, in my Windows 7 machine, I opened an HTTP site and entered some login information to that site.



      Wireshark was able to capture that login information.



      How does Wireshark capture those packets? Windows 7 sent its packets to the router but Wireshark was able to capture them.



      I didn't use arpspoof for MITM attack so I didn't trick Windows 7 into thinking the Kali machine was the gateway nor gateway as kali machine is windows 7. So my guess was Wireshark shouldn't capture those packets but it did capture them anyway.



      Anybody can tell me why?






      wireshark arp-spoofing packet







      share|improve this question
















      I created a lab environment which has Windows 7 and Kali Linux in VMware.



      In Kali Linux, I opened Wireshark and started to listen to traffic on eth0. After that, in my Windows 7 machine, I opened an HTTP site and entered some login information to that site.



      Wireshark was able to capture that login information.



      How does Wireshark capture those packets? Windows 7 sent its packets to the router but Wireshark was able to capture them.



      I didn't use arpspoof for MITM attack so I didn't trick Windows 7 into thinking the Kali machine was the gateway nor gateway as kali machine is windows 7. So my guess was Wireshark shouldn't capture those packets but it did capture them anyway.



      Anybody can tell me why?






      wireshark arp-spoofing packet




      wireshark arp-spoofing packet






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 18 '18 at 17:33









      schroeder

      74k29162196




      74k29162196










      asked Nov 18 '18 at 17:22









      G.BaysecG.Baysec

      162




      162






















          2 Answers
          2






          active

          oldest

          votes


















          5














          This is actually not a security question at all. The question you want to be asking is how one node on a network can see the packets that are not destined for it. For this answer, you need to understand how Ethernet networking works.



          Ethernet networks are broadcast networks, meaning that every node on the same segment can see every other node's traffic. No tricks required.



          A switch, and a wifi access point acts like a switch, breaks up these broadcast zones (mostly) so that only the nodes that need to talk to each other see the traffic. That's why you need to arp-spoof: you need to trick the victim node to send you the traffic first and then you pass it on to the intended destination.



          But without a switch, everyone can see everyone's traffic. So, your Kali's Wireshark could simply and easily see the traffic being sent by the other node. No tricks required.






          share|improve this answer
























          • So, because of my vmware environment hasn't got a switch (just router), my wireshark can sniff all packets inside that environment.Then, If I got an environment that has a switch and my victim and attacker machines are in the same VLAN, I needed to use arp-spoof to fool the Windows 7 as I am the router. So with arpspoof, I did change the mac address of router in windows 7's route table and give my mac address instead? Did I understand it correct? Or should I change the MAC address information in switch also?

            – G.Baysec
            Nov 18 '18 at 17:56













          • You have some language errors there, but it looks like you are correct. Please do some reading on Ethernet, networking, and broadcast zones.

            – schroeder
            Nov 18 '18 at 17:58











          • Hm your VMware virtual switch should also not flood its ports with packets. How many VMs you had in your lab and on which of them was Wireshark running?

            – eckes
            Nov 18 '18 at 20:56











          • Routers also break up broadcast zones. But there point is there isn't a virtual switch or router in between Kali's virtual network card, and Windows. So they get to see each others' traffic. I guess VMware did it that way for maximum reliability and performance, because they could have added a virtual switch.

            – immibis
            Nov 19 '18 at 0:03











          • @eckes I have 2 machines for this lab. One is windows 7 and other is kali linux.

            – G.Baysec
            Nov 19 '18 at 8:17



















          0














          The reason why Wireshark can capture all packets is because of the NAT environment. IN NAT, VM's in VMware will use the physical adapter. That's the NIC of my computer. So VMware provides the ethernet card to the VM's. Both Windows 7 and kali will use the same ethernet card because VMware points my ethernet card to this VM's for internet access. So when I sniff eth0 from Wireshark, because of windows 7 use the same ethernet card, all packets will be captured by the Wireshark. This lab should be done in bridged-adapter network environment. In that environment, VMware should isolate the NIC's for the VM's. So that, there is a need of arpspoofing in order to capture traffic from kali.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197940%2fhow-wireshark-capture-packets-in-lan-without-arpspoof%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            5














            This is actually not a security question at all. The question you want to be asking is how one node on a network can see the packets that are not destined for it. For this answer, you need to understand how Ethernet networking works.



            Ethernet networks are broadcast networks, meaning that every node on the same segment can see every other node's traffic. No tricks required.



            A switch, and a wifi access point acts like a switch, breaks up these broadcast zones (mostly) so that only the nodes that need to talk to each other see the traffic. That's why you need to arp-spoof: you need to trick the victim node to send you the traffic first and then you pass it on to the intended destination.



            But without a switch, everyone can see everyone's traffic. So, your Kali's Wireshark could simply and easily see the traffic being sent by the other node. No tricks required.






            share|improve this answer
























            • So, because of my vmware environment hasn't got a switch (just router), my wireshark can sniff all packets inside that environment.Then, If I got an environment that has a switch and my victim and attacker machines are in the same VLAN, I needed to use arp-spoof to fool the Windows 7 as I am the router. So with arpspoof, I did change the mac address of router in windows 7's route table and give my mac address instead? Did I understand it correct? Or should I change the MAC address information in switch also?

              – G.Baysec
              Nov 18 '18 at 17:56













            • You have some language errors there, but it looks like you are correct. Please do some reading on Ethernet, networking, and broadcast zones.

              – schroeder
              Nov 18 '18 at 17:58











            • Hm your VMware virtual switch should also not flood its ports with packets. How many VMs you had in your lab and on which of them was Wireshark running?

              – eckes
              Nov 18 '18 at 20:56











            • Routers also break up broadcast zones. But there point is there isn't a virtual switch or router in between Kali's virtual network card, and Windows. So they get to see each others' traffic. I guess VMware did it that way for maximum reliability and performance, because they could have added a virtual switch.

              – immibis
              Nov 19 '18 at 0:03











            • @eckes I have 2 machines for this lab. One is windows 7 and other is kali linux.

              – G.Baysec
              Nov 19 '18 at 8:17
















            5














            This is actually not a security question at all. The question you want to be asking is how one node on a network can see the packets that are not destined for it. For this answer, you need to understand how Ethernet networking works.



            Ethernet networks are broadcast networks, meaning that every node on the same segment can see every other node's traffic. No tricks required.



            A switch, and a wifi access point acts like a switch, breaks up these broadcast zones (mostly) so that only the nodes that need to talk to each other see the traffic. That's why you need to arp-spoof: you need to trick the victim node to send you the traffic first and then you pass it on to the intended destination.



            But without a switch, everyone can see everyone's traffic. So, your Kali's Wireshark could simply and easily see the traffic being sent by the other node. No tricks required.






            share|improve this answer
























            • So, because of my vmware environment hasn't got a switch (just router), my wireshark can sniff all packets inside that environment.Then, If I got an environment that has a switch and my victim and attacker machines are in the same VLAN, I needed to use arp-spoof to fool the Windows 7 as I am the router. So with arpspoof, I did change the mac address of router in windows 7's route table and give my mac address instead? Did I understand it correct? Or should I change the MAC address information in switch also?

              – G.Baysec
              Nov 18 '18 at 17:56













            • You have some language errors there, but it looks like you are correct. Please do some reading on Ethernet, networking, and broadcast zones.

              – schroeder
              Nov 18 '18 at 17:58











            • Hm your VMware virtual switch should also not flood its ports with packets. How many VMs you had in your lab and on which of them was Wireshark running?

              – eckes
              Nov 18 '18 at 20:56











            • Routers also break up broadcast zones. But there point is there isn't a virtual switch or router in between Kali's virtual network card, and Windows. So they get to see each others' traffic. I guess VMware did it that way for maximum reliability and performance, because they could have added a virtual switch.

              – immibis
              Nov 19 '18 at 0:03











            • @eckes I have 2 machines for this lab. One is windows 7 and other is kali linux.

              – G.Baysec
              Nov 19 '18 at 8:17














            5












            5








            5







            This is actually not a security question at all. The question you want to be asking is how one node on a network can see the packets that are not destined for it. For this answer, you need to understand how Ethernet networking works.



            Ethernet networks are broadcast networks, meaning that every node on the same segment can see every other node's traffic. No tricks required.



            A switch, and a wifi access point acts like a switch, breaks up these broadcast zones (mostly) so that only the nodes that need to talk to each other see the traffic. That's why you need to arp-spoof: you need to trick the victim node to send you the traffic first and then you pass it on to the intended destination.



            But without a switch, everyone can see everyone's traffic. So, your Kali's Wireshark could simply and easily see the traffic being sent by the other node. No tricks required.






            share|improve this answer













            This is actually not a security question at all. The question you want to be asking is how one node on a network can see the packets that are not destined for it. For this answer, you need to understand how Ethernet networking works.



            Ethernet networks are broadcast networks, meaning that every node on the same segment can see every other node's traffic. No tricks required.



            A switch, and a wifi access point acts like a switch, breaks up these broadcast zones (mostly) so that only the nodes that need to talk to each other see the traffic. That's why you need to arp-spoof: you need to trick the victim node to send you the traffic first and then you pass it on to the intended destination.



            But without a switch, everyone can see everyone's traffic. So, your Kali's Wireshark could simply and easily see the traffic being sent by the other node. No tricks required.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 18 '18 at 17:40









            schroederschroeder

            74k29162196




            74k29162196













            • So, because of my vmware environment hasn't got a switch (just router), my wireshark can sniff all packets inside that environment.Then, If I got an environment that has a switch and my victim and attacker machines are in the same VLAN, I needed to use arp-spoof to fool the Windows 7 as I am the router. So with arpspoof, I did change the mac address of router in windows 7's route table and give my mac address instead? Did I understand it correct? Or should I change the MAC address information in switch also?

              – G.Baysec
              Nov 18 '18 at 17:56













            • You have some language errors there, but it looks like you are correct. Please do some reading on Ethernet, networking, and broadcast zones.

              – schroeder
              Nov 18 '18 at 17:58











            • Hm your VMware virtual switch should also not flood its ports with packets. How many VMs you had in your lab and on which of them was Wireshark running?

              – eckes
              Nov 18 '18 at 20:56











            • Routers also break up broadcast zones. But there point is there isn't a virtual switch or router in between Kali's virtual network card, and Windows. So they get to see each others' traffic. I guess VMware did it that way for maximum reliability and performance, because they could have added a virtual switch.

              – immibis
              Nov 19 '18 at 0:03











            • @eckes I have 2 machines for this lab. One is windows 7 and other is kali linux.

              – G.Baysec
              Nov 19 '18 at 8:17



















            • So, because of my vmware environment hasn't got a switch (just router), my wireshark can sniff all packets inside that environment.Then, If I got an environment that has a switch and my victim and attacker machines are in the same VLAN, I needed to use arp-spoof to fool the Windows 7 as I am the router. So with arpspoof, I did change the mac address of router in windows 7's route table and give my mac address instead? Did I understand it correct? Or should I change the MAC address information in switch also?

              – G.Baysec
              Nov 18 '18 at 17:56













            • You have some language errors there, but it looks like you are correct. Please do some reading on Ethernet, networking, and broadcast zones.

              – schroeder
              Nov 18 '18 at 17:58











            • Hm your VMware virtual switch should also not flood its ports with packets. How many VMs you had in your lab and on which of them was Wireshark running?

              – eckes
              Nov 18 '18 at 20:56











            • Routers also break up broadcast zones. But there point is there isn't a virtual switch or router in between Kali's virtual network card, and Windows. So they get to see each others' traffic. I guess VMware did it that way for maximum reliability and performance, because they could have added a virtual switch.

              – immibis
              Nov 19 '18 at 0:03











            • @eckes I have 2 machines for this lab. One is windows 7 and other is kali linux.

              – G.Baysec
              Nov 19 '18 at 8:17

















            So, because of my vmware environment hasn't got a switch (just router), my wireshark can sniff all packets inside that environment.Then, If I got an environment that has a switch and my victim and attacker machines are in the same VLAN, I needed to use arp-spoof to fool the Windows 7 as I am the router. So with arpspoof, I did change the mac address of router in windows 7's route table and give my mac address instead? Did I understand it correct? Or should I change the MAC address information in switch also?

            – G.Baysec
            Nov 18 '18 at 17:56







            So, because of my vmware environment hasn't got a switch (just router), my wireshark can sniff all packets inside that environment.Then, If I got an environment that has a switch and my victim and attacker machines are in the same VLAN, I needed to use arp-spoof to fool the Windows 7 as I am the router. So with arpspoof, I did change the mac address of router in windows 7's route table and give my mac address instead? Did I understand it correct? Or should I change the MAC address information in switch also?

            – G.Baysec
            Nov 18 '18 at 17:56















            You have some language errors there, but it looks like you are correct. Please do some reading on Ethernet, networking, and broadcast zones.

            – schroeder
            Nov 18 '18 at 17:58





            You have some language errors there, but it looks like you are correct. Please do some reading on Ethernet, networking, and broadcast zones.

            – schroeder
            Nov 18 '18 at 17:58













            Hm your VMware virtual switch should also not flood its ports with packets. How many VMs you had in your lab and on which of them was Wireshark running?

            – eckes
            Nov 18 '18 at 20:56





            Hm your VMware virtual switch should also not flood its ports with packets. How many VMs you had in your lab and on which of them was Wireshark running?

            – eckes
            Nov 18 '18 at 20:56













            Routers also break up broadcast zones. But there point is there isn't a virtual switch or router in between Kali's virtual network card, and Windows. So they get to see each others' traffic. I guess VMware did it that way for maximum reliability and performance, because they could have added a virtual switch.

            – immibis
            Nov 19 '18 at 0:03





            Routers also break up broadcast zones. But there point is there isn't a virtual switch or router in between Kali's virtual network card, and Windows. So they get to see each others' traffic. I guess VMware did it that way for maximum reliability and performance, because they could have added a virtual switch.

            – immibis
            Nov 19 '18 at 0:03













            @eckes I have 2 machines for this lab. One is windows 7 and other is kali linux.

            – G.Baysec
            Nov 19 '18 at 8:17





            @eckes I have 2 machines for this lab. One is windows 7 and other is kali linux.

            – G.Baysec
            Nov 19 '18 at 8:17













            0














            The reason why Wireshark can capture all packets is because of the NAT environment. IN NAT, VM's in VMware will use the physical adapter. That's the NIC of my computer. So VMware provides the ethernet card to the VM's. Both Windows 7 and kali will use the same ethernet card because VMware points my ethernet card to this VM's for internet access. So when I sniff eth0 from Wireshark, because of windows 7 use the same ethernet card, all packets will be captured by the Wireshark. This lab should be done in bridged-adapter network environment. In that environment, VMware should isolate the NIC's for the VM's. So that, there is a need of arpspoofing in order to capture traffic from kali.






            share|improve this answer




























              0














              The reason why Wireshark can capture all packets is because of the NAT environment. IN NAT, VM's in VMware will use the physical adapter. That's the NIC of my computer. So VMware provides the ethernet card to the VM's. Both Windows 7 and kali will use the same ethernet card because VMware points my ethernet card to this VM's for internet access. So when I sniff eth0 from Wireshark, because of windows 7 use the same ethernet card, all packets will be captured by the Wireshark. This lab should be done in bridged-adapter network environment. In that environment, VMware should isolate the NIC's for the VM's. So that, there is a need of arpspoofing in order to capture traffic from kali.






              share|improve this answer


























                0












                0








                0







                The reason why Wireshark can capture all packets is because of the NAT environment. IN NAT, VM's in VMware will use the physical adapter. That's the NIC of my computer. So VMware provides the ethernet card to the VM's. Both Windows 7 and kali will use the same ethernet card because VMware points my ethernet card to this VM's for internet access. So when I sniff eth0 from Wireshark, because of windows 7 use the same ethernet card, all packets will be captured by the Wireshark. This lab should be done in bridged-adapter network environment. In that environment, VMware should isolate the NIC's for the VM's. So that, there is a need of arpspoofing in order to capture traffic from kali.






                share|improve this answer













                The reason why Wireshark can capture all packets is because of the NAT environment. IN NAT, VM's in VMware will use the physical adapter. That's the NIC of my computer. So VMware provides the ethernet card to the VM's. Both Windows 7 and kali will use the same ethernet card because VMware points my ethernet card to this VM's for internet access. So when I sniff eth0 from Wireshark, because of windows 7 use the same ethernet card, all packets will be captured by the Wireshark. This lab should be done in bridged-adapter network environment. In that environment, VMware should isolate the NIC's for the VM's. So that, there is a need of arpspoofing in order to capture traffic from kali.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 21 '18 at 19:16









                G.BaysecG.Baysec

                162




                162






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f197940%2fhow-wireshark-capture-packets-in-lan-without-arpspoof%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    How to pass form data using jquery Ajax to insert data in database?

                    Image
                    .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 1 I have 4 tables namely stud, country_master_academic,master_state and master_city. The main problem is that my form consists of many different fields like textbox, radio buttons, dropdown and an image file, so i am getting really confused. I can't insert data in database. Please help me. I tried many times but its not working. Thanks for the help in advance. Modal in home.php page <div class="container"> <div class="modal fade" id="add_data_modal" role="dialog"> <div class="modal-dialog"> <div class="modal-content"> ...
                    Read more

                    National Museum of Racing and Hall of Fame

                    Image
                    Coordinates: 43°04′35″N 73°46′24″W  /  43.0763°N 73.7734°W  / 43.0763; -73.7734 Professional sports hall of fame in Saratoga Springs, New York National Museum of Racing and Hall of Fame National Museum of Racing and Hall of Fame Established 1951 Location Saratoga Springs, New York Type Professional sports hall of fame Director Cathy Marino Curator Victoria Tokarowski Website racingmuseum.org The National Museum of Racing and Hall of Fame was founded in 1951 in Saratoga Springs, New York, to honor the achievements of American Thoroughbred race horses, jockeys, and trainers. In 1955, the museum moved to its current location on Union Avenue near Saratoga race course, at which time inductions into the hall of fame began. Each spring, following the tabulation of the final votes, the announcement of new inductees is made, usually during Kentucky Derby Week in early May. The actual inductions are held in mid-August during the Saratoga race meeting...
                    Read more

                    Guess what letter conforming each word

                    Image
                    6 $begingroup$ This is an entry in the Fortnightly Topic Challenge #41: Short and Sweet. 1 letter only could be mean anything . With an additional letter in front , could be used as medicine component and something you definitely learn or at least heard once. Add another letter in front , you would possibly hear that many times . Add an additional letter in front , you would found an independent country . With an additional letter, in the end , you would found something related to apple . Add another letter in the end , you would found something bad . Hint: Each letter is unique . word knowledge letters chemistry share | improve this question ...
                    Read more