# sudo tcpdump -vXXn -e -i eth1 dst 192.168.1.116
This means that you want to analyze packets to your IP address 192.168.1.116.
I have picked up a part of the output :
14:57:51.521068 00:1f:3a:bc:7b:58 > ****, ethertype IPv4 (0x0800), length 86: (tos 0x8, ttl 44, id 35883, offset 0, flags [none], proto UDP (17), length 72) 74.125.200.189.443 > 192.168.1.116.41334: UDP, length 44 0x0000: **** 001f 3abc 7b58 0800 4508 .H..6=..:.{V..E. 0x0010: 0048 8c2b 0000 2c11 2d1b 4a7d c8bd c0a8 .H.+..,.-.J}.... 0x0020: 0174 01bb a176 0034 54a9 0087 e6d9 30be .t...v.4T.....0. 0x0030: ba35 de94 672a 603e 3fc8 5fa1 d8eb 3721 .5..g*`>?._...7! 0x0040: de39 f952 1bbf 722a 3afb 1812 2e04 6c9c .9.R..r*:.....l. 0x0050: 8a72 7d5e af95 .r}^..
Here also, you can see that 74.125.200.189 is mapped to MAC address 00.1f.3a.bc.7b.58, which is the MAC of a system that is in the local network (as per the arp-scan output).
# sudo arp-scan --interface=eth1 --localnet Interface: eth1, datalink type: EN10MB (Ethernet) Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.133 00:1f:3a:bc:7b:58 Pr_bc Ind.Co., Ltd. 192.168.1.138 *** (Unknown) 192.168.1.1 *** (Unknown)
Hence, the system is undergoing an ARP spoofing attack.






0 Comments