Who steals my interwebs ?

You want to see if someone is hijacking your wireless connection? Here is how to do it.

First of all you have to figure out your ip address. There are several ways to do it. You can go get it from AppleMenu->SystemPreferences->Network->Advanced->TCP/IP or you can type at the Terminal.app:


ifconfig -a

now search for the part for en1 (Mac OS X’s wireless connection is on the interface called en1) or simply type

ifconfig -a|grep inet -B1|grep en1 -a1

you should get something like

ifconfig -a|grep inet -B1|grep en1 -a1
--
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.64 netmask 0xffffff00 broadcast 192.168.1.255<br

We will now do some sniffing and we will exclude our own address from the data, so at the Terminal.app type

sudo tcpflow -s -c -i en1 host not 192.168.1.64

It will ask you for your password etc etc. What it does is this

-s
Strip non-printables. Convert all non-printable characters to the «.» character before printing packets to the console or storing them to a file.
-c
Console print. Print the contents of packets to stdout as they are received, without storing any captured data to files (implies -s ).
-i
Interface name. Capture packets from the network interface named iface. If no interface is specified with -i , a reasonable default will be used by libpcap automatically.

So we are basically asking to present us on screen what happens using our wireless interface (en1) as our source. The next part (host not xxxx) is restricting the process by excluding our own address and thus we can monitor if someone else is using our wireless connection.

If you see anything beyond this point then you are not alone on your network (you can exclude more addresses you know like printers and other computers using «not host 10.10.10.10 and 10.10.10.1». You get the picture I hope)

What you can do beyond this point is try driftnet. Driftnet is a modern EtherPEG clone. EtherPEG was a small hack to show the images (jpegs) your co-workers were viewing on your network. It was rewritten for OSX but now it’s broken for Leopard (10.5). So you need something more fresh.

Driftnet is here to help your needs. Please read the man page first. The fun part is at just peeking, so by simply invoking at the Terminal.app:

sudo driftnet -i en1  host not 192.168.1.64

you will be able to see what the highjacker sees online (!)by using X11 technology to display the images. If you want to be mean then you can try

sudo driftnet -i en1 -a -s -d . host not 192.168.1.64

which will store all the images and mpeg media (audio tracks) on the current folder (you should better create an empty one before you do this). The titles of the files stored will be written on the terminal for you to see that something is actually happening.

By this point you should be clearly very frustrated you can’t find these commands on your Terminal.app. You should use fink and install them from there (very easy).

Leave a Comment.