Unit 1: Packet Sniffing 1.1 Packet Sniffing Sniffing on Windows and Inside VMs

>> WIN pcap for Windows allows applications to capture
and transmit network packets bypassing the protocol stack
and has additional useful features, including kernel-level packet filtering,
a network statistics engine, and support for remote packet capture.

WIN pcap for Windows允许应用程序捕获和传输绕过协议栈的网络数据包，并具有其他有用的特性，包括内核级数据包过滤、网络统计引擎和对远程数据包捕获的支持。

But it doesn't support monitor mode so you can't capture
in monitor mode with Wireshark on Windows.

但它不支持监控模式，所以你不能在监控模式下捕捉Wireshark在Windows上。

Promiscuous mode can be set with WinPcap, but it's often crippled
as many drivers don't supply packets at all or don't supply packets sent by the host.

可以用WinPcap设置混杂模式，但由于许多驱动程序根本不提供数据包或不提供主机发送的数据包，这种模式常常会失效。

So, if you use Wireshark on Windows monitor mode and promiscuous modes for Wi-Fi are problematic.
You have three options.

因此，如果你在Windows监控模式下使用Wireshark，那么Wi-Fi的混杂模式是有问题的。

你有三个选择。

One, there is a riverbed air pcap tool for $700.

一种是河床空气pcap工具，售价700美元。

Two, you can use acrylic Wi-Fi solutions which installs drivers that may or may not work
and you might have to buy a special USB NIC.

第二，你可以使用丙烯酸Wi-Fi解决方案，它可以安装驱动程序，可能工作，也可能不工作，你可能需要购买一个特殊的USB网卡。

Three, use Microsoft's network monitor tool which is old and obsolete
for promiscuous mode and monitor mode.

三、使用微软的网络监控工具，该工具对于混杂模式和监控模式已经过时。

You can also use Microsoft's network monitor successor message analyzer
which can do just promiscuous mode.

您还可以使用微软的网络监视器继承消息分析器，它可以做的只是混杂模式。

You'll still need the nix drivers to support these programs and there are many that don't.

您仍然需要nix驱动程序来支持这些程序，还有许多不支持这些程序。

Which of the three options do I use?

我应该使用这三个选项中的哪一个?

None of the above, I do my monitor mode and promiscuous mode Wi-Fi sniffing
through Kali Linux run off a [inaudible] USB stick.

以上都不是，我的监测模式和混杂模式Wi-Fi嗅探通过Kali Linux运行[听不清]u盘。

Monitor mode can't run inside any virtual machine on any guest operating system.

监视器模式不能在任何来宾操作系统上的任何虚拟机中运行。

Virtual machines see the virtual nix as ethernet adapters and not Wi-Fi adapters.

虚拟机将虚拟nix视为以太网适配器，而不是Wi-Fi适配器。

Monitor mode sniffing through a guest OS would be possible
with an external adapter specifically designed for wireless pen testing.

使用专门为无线笔测试设计的外部适配器，可以通过客户操作系统嗅探监视器模式。

A hypervisor like the many put out by VMware is another exception to the rule.

VMware提供的许多虚拟机监控程序是该规则的另一个例外。

If you've got a VM running in bridged mode with its own virtual NIC
and MAC address the hypervisor will inject itself through a device driver
and force a wired physical NIC to accept the frame
with a VM's MAC address so it can be sent to the VM.

如果虚拟机管理程序使用自己的虚拟网卡和MAC地址在桥接模式下运行，那么它将通过设备驱动程序注入自己，并强制有线物理网卡接受带有VM的MAC地址的帧，以便将其发送到VM。

So, even though the destination MAC addresses of the virtual NIC on the guest OS
and not the physical NIC the physical NIC is able to take the frame in
and the virtual bridge will send the traffic to the virtual machine
with the listed destination MAC address.

因此，即使客户操作系统上的虚拟网卡的目标MAC地址而不是物理网卡，物理网卡也能够接收帧，虚拟网桥会将流量发送到具有列出的目标MAC地址的虚拟机。

Hypervisors need to tweak that behavior for wireless traffic
since many wireless adapters don't support promiscuous mode
and will automatically drop traffic
if the destination MAC address is not the MAC address of the physical wireless NIC.

管理程序需要为无线流量调整这种行为，因为许多无线适配器不支持混杂模式，如果目标MAC地址不是物理无线网卡的MAC地址，则会自动减少流量。

All traffic has to use the MAC address of the host's wireless adapter.

所有流量必须使用主机无线适配器的MAC地址。

The hypervisor needs to replace the source MAC address
of an outgoing frame to the host's MAC address to make sure the reply will be sent back
to the host MAC address and not the guest MAC address.

hypervisor需要将传出帧的源MAC地址替换为主机的MAC地址，以确保应答将被发送回主机的MAC地址，而不是客户的MAC地址。

When the hypervisor sees an incoming packet with a destination IP address that belongs to one
of the VM's virtual NIC's it replaces the destination MAC address of the host NIC
with the VM's MAC address and sends it on.

当hypervisor看到一个带有属于VM虚拟网卡的目标IP地址的传入数据包时，它会用VM的MAC地址替换主机网卡的目标MAC地址并将其发送下去。

Since a layer 2 ARP frame doesn't have a layer 3 IP header the target IP address field is parsed
by the hypervisor to know which virtual NIC should get the ARP reply.

由于第2层ARP帧没有第3层IP报头，所以hypervisor将解析目标IP地址字段，以知道哪个虚拟网卡应该获得ARP应答。

Hypervisors examine ARP and DHCP traffic so they can learn the IP addresses of virtual machines.

虚拟机监控程序检查ARP和DHCP流量，以便了解虚拟机的IP地址。

 

转载于:https://www.cnblogs.com/sec875/articles/10015864.html