CENiffer

Wireless networks have a unique weakness that can enable anyone with the right equipment the capability to capture and read data as it is sent over the airwaves. This could include emails, chats, Web page requests and more. In other words, if it can be sent over a network, it can be sniffed.

Even in the PC environment, sniffers often require Linux or a "patched" version of Windows. If you are familiar with these tools, you will already know that sniffers, although simple in concept, are often complex in interpretation. You need to understand how TCP/IP layers work, what hex and ASCII are, and have a firm grip on understanding how to read network messages. The amount of information is sometimes overwhelming, and it can take even the most dedicated expert a relatively long time to analyze. For these reason, we would not expect a sniffer to show up on a platform with such a limited amount of memory and resources. However, CENiffer is just that! It is a sniffer capable of running on a Pocket PC-based computer, such as an iPAQ.

CENiffer is a fully functional sniffer with many of the features that you would only expect to find in a full PC version. The following is a list of some of these features:

• Functions on both wireless and wired Ethernet cards

• Allows user -defined packet filters and rules based on ports, IPs, and more

• Lists captured information in MAC, IP, and TCP layers

• Runs in promiscuous mode (with proper network cards)

• Outputs log files in Ethereal and tcpdump format for future analysis

• Allows layered view down to hex/ASCII

• Supports the Open Filter Definition Language (OFDL) for filtering

After trying CENiffer, you will see it is packed full of features and options that make it one of the best sniffers available for Pocket PC-based computers. The next few pages will walk you through the program and illustrate just how powerful it is.

Installing CENiffer

Installing CENiffer is also fairly simple. However, there is one twist: You must install the downloaded file on the Pocket PC-based computer. In other words, you will need to download the program to your PC, transfer the *.cab file to your Pocket PC computer, and execute it from there. You can also simply download the file from your mobile computer using the built-in browser. You must also install the appropriate version for your Pocket PC-based processor type (StrongARM, MIPS, or SH3).

Using CENiffer

Upon opening the program, you are presented with a blank screen and the typical tool bar. The first thing to do is set up how and where you want to record the session. As you can see from Figure 10.3, you can save data in an expansion card in various formats.

After you have this set up, it's time to create some filters. A filter will enable you to remove the excess data and target only what is of interest. For example, you can filter all ICMP traffic, or all traffic to a certain host. To set a filter up, click on Options Filters. This will present you with a blank list that you have to fill. To add a filter, click on the Add button, followed by Edit. Give the filter a name and configure it to filter based on a set of rules. In Figure 10.4, we set up CENiffer to filter all traffic on port 80, which is the default Web server (http) port. In addition to simple sniffing, CENiffer supports OFDL, which allows for some very in-depth control over what and how CENiffer filters packets. After you have some entries (see Figure 10.5), close the filter screen. The following lists the types of filters available:

• Pass or don't pass filter

• Source or destination Hardware (MAC) address

• Source or destination IP address

• Source or destination TCP port

• Source or destination UDP port

Next, determine whether you want to sniff only data passing to and from the iPAQ you are operating, or whether you want to capture all data passing through the airwaves. To do the latter, you will need to enable promiscuous mode by clicking on Options Promiscuous. At this point, click the arrow on the tool bar to start capturing.

As the program captures data, it will list the MAC addresses, IP addresses, or protocol and port numbers of the packets being captured. You can change this view by using the double arrow button on the toolbar. As illustrated in Figure 10.6, it should not take long to start capturing valuable information. In this example, we are capturing all data between a WLAN client and a random Web site. As you can see, the traffic is mostly TCP, with a few UDP packets sent between the client and the Internet gateway.

After you have captured enough data, you are ready to analyze it. To do this, click the Play arrow off, and select a packet to view. After you have done this, you will be presented with the packet's transmission and header information. This information tells you the purpose of the packet's transmission (see Figure 10.7). If you scroll further down, you can view the actual data sent in the packet as it appears in hex and ASCII. This is the information that will be dumped into the saved file for future analysis. To do this, you can load the file in Ethereal (or in a text editor, if you are really an expert) on your PC.

As you can see, this program is a fully functional sniffer, right on your Pocket PC computer. In fact, this program is so feature-rich that it can complement a laptop-based sniffer (Sniffer or EtherPeek) quite well. If you have a need to monitor network traffic with minimal equipment, get your hands on CENiffer.