Tuesday, November 21, 2006

HOWTO Sniffing AIM traffic on an open wireless network

If you are interested in seeing what people on an open wireless network are doing on AOL Instant Messanger (*ahem* I mean... for some legitimate, legal and ethical purposes, of course... *ahem*), then this will walk you through it. I'm using Ubuntu 6.06 as my OS.
  1. First, you're going to need a network traffic analyzer. Wireshark (formerly known as ethereal... Wikipedia explains the name change) is the standard for this: Enter sudo apt-get install ethereal on the command line to get it. Start it up as root (this should be an option under applications->internet).
  2. Next, change your wireless card to promiscuous mode: sudo iwconfig eth1 mode Monitor (of course, replace eth1 with whatever your wireless-enabled interface that you wish to listen on is).
  3. Click the "Show the capture options..." button in the top left corner of the ethereal GUI (it's the picture with a wrench on it). Select your wireless interface, check the promiscuous mode checkbox, and select any other options you want, but don't close the box yet.
  4. If you just ran the capture as is, you'd get all traffic on a wireless network. However, that can be a lot of stuff that you don't want. A little research on Google shows that Aim runs primarily on port 5190 and additional ports such as 13, 23, and 113. Specify that you only want to log packets that come through on these ports in the capture filter text box: tcp port 5190 or tcp port 23 or tcp port 113 or tcp port 13 (If you want other configurations, check Section 4.8 of the Wireshark User's Guide). Click the Start button to start the capture.
  5. You are now capturing any wireless packets that your interface receives. Ethereal will bring up a small dialog box showing you more detail about what's going on. Click stop to stop the capture.
  6. That's a lot of data. Use the filtering/analyzing tools that ethereal provides to help you sort out what's actually going on. One of the easiest/most useful things to do is right click on a packet of interest and select "Follow TCP Stream"... this will give you the transactions that happened between two points, perfect for reassembling an AIM conversation!

No comments: