• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7380
  • Last Modified:

Monitor / Sniff remote IP

Is it possible to sniff packets on a remote network / public IP address?

I belive it is possible to monitor traffic on a LAN, but any tools or methods out there to monitor traffic for a webserver on a remote network?


4 Solutions
Well, it's only possible to sniff traffic that is actually going to the NIC on the system that's doing the sniffing. Essentially, to sniff traffic from a particular system, you would need to:

A. Sniff the traffic with a machine that is on the same LAN (either through a hub, or a switch which supports port mirroring)

B. Sniff the traffic on the remote machine itself, and have it E-Mailed to you, posted to a webpage etc. (via a software package or the like)

C. Have the remote machine forward all packets to the monitoring machine (never tried this before. Theoretically it's possible, but I couldn't tell you how to do it)

You can only sniff the total traffic of that remote network. Usually you don't have the server alone using such an IP, often there is some sort of firewall or gadget which is directly connected to the internet, and the server is behind that on a switch or hub, often using another physical, local address. What you then see when using a sniffer is the total traffic from that firewall or gadget, and not just the server. You will be able to see if the "Services" of that server are running or not (again, if there aren't other servers on the same network serving the same service on the same port).
thewhirlwindAuthor Commented:
Thank you both for the replies:

any suggestion of what application you would recommend for doing this.  What I am afraid of is that for example with EE the login process seems not to be secure, so could someone intercept the data packets that contain people's (or my!) login details?

does the interceptor need to sit on the LAN of EE or can he be sitting and sniffing the WAN port of EE's webserver/gateway from a different physical and IP location?

I wish to understand the vulnerability of not using secure logins, wether be it websites, POP3, IMAP, etc.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

The following site might give you some idea of tools with which you can scan your system for security holes:


Nmap is such tool which you might be looking for.

It depends what you want to check the secutity for. If it is your lan, I'd put it inside your lan. If is to check the security of your internet connection with the internet (like your example above), I'd put it in the wan.

The login process with EE happens using a normal http connection, so that would indicate that someone who listens in would be able to to succesfully analyze that traffic. If the connection were using https, it would be securer.
Anybody sitting at any point in the middle of the traffic with access to an interface at a network right between the traffic endpoints can sniff the whole communication.
This statement is true, where the communication is done via ethernet protocol (the LAN ... but at the ISP side may be a LAN too ... and the ISP may sniff you too ;-) ).

Ethernet spreads all packets to the adjacent NICs ... so if you don't have some means to prevent others from reading insde (like https, ssl, ssh, VPN, PPTP, ...) you can follow the entire communication line with a PC bound to any LAN inbetween...

regards Holger

http is a fully readable ASCII code as is FTP and TELNET ... so you can simply sniff passwords without having to hack them - beware to use your best passwords in insecure environments !
>>Is it possible to sniff packets on a remote network / public IP address?

>>I belive it is possible to monitor traffic on a LAN, but any tools or methods out there to monitor traffic for a webserver on a remote network?

Sort of - most people call this spyware.

If you want to sniff/packet capture a network, you need to have some kind of physical access to some or all of it.  Cisco makes a neat feature where you can do a "remote span" or rspan of a port and not be immediately in proximity to the port you're capturing, but at some point, you have to have physical access - unless you install some sort of spying software on the target.

While it is true that http is "in the clear" - a well designed site does not send usernames and passwords in the clear, but encrypts them with SSL.  For instance, try doing a packet capture on YOUR OWN MACHINE and then see if you can pick out your username and password logging into a public email system such as Yahoo or Hotmail - or your bank.

If you want to ensure that web traffic is fairly secure, then use SSL.  If you want to ensure your email is secure, encrypt it.  If you're concerned about secure traffic over the Internet, use VPN.  if you're concerned about security on your LAN then design in encryption, authorization, and authentication mechanisms such as PKI.

Hope this helps.
thewhirlwindAuthor Commented:
Thank you all for your feedback, I believe I have a better understanding of essentially how unsecure data can be in a public or even private network.

My next question will be on WLAN security and it's shortfalls.

thanx too.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now