cain & able

hey guy's anyone familar with cain & able I was wondering why my ethernet interface address (10.1.2.160) isn't showing up in the dialog box?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

JDMurray

Can you see the IP address when you do an ipconfig /all? If so, with what device is it associated? It may be that C&A can't configure (sniff) that type of device, so it doesn't list it.

aueddonline

It shows up in the ipconfig /all readout,

the 10.1.2.160 is tha ethernet adapter on the laptop i have C&A on, the 192.168.2.4 that shows in the dialogbox is the wireless adapter on the same laptop.

before I changed the ethenet address of my laptop to 10.1.2.160 the sniffer worked fine on that interface and the IP address was showing up in the dialog box (the first in the list).

JDMurray

Your laptop can communicate using the 10.1.2.160 adapter? If you change the network adapter back to the previous IP address and netmask, does C&A see it again? Was the previous IP address on the same subnet as your wireless adapter?

aueddonline

yes it does see it if I change it back

yes the two are on the same subnet

JDMurray

Try disabling the wireless adapter and see if C&A can suddenly see the 10.1.2.160 adapter. Is your laptop configured to act as a router between the two adapters?

aueddonline

ok i tried disabling the wireless adapter and what happen was that disapeard in the dialog box but the address of the the ethernet adapter was 255.255.255 etc, same as before.

the only difference with the two setups I have is that when using the 10.1.2.160 address the ethernet is connected to a cisco switch.

and when using the 192.168.2.2 the address is given out via DHCP by my home belkin router which has a hub in the back of it, which the ethenet is connected to

aueddonline

i forgot to mention your router point

as far as I know the laptop is not acting as a router between the two, how would i know?

I can normally access two networks at the same time is I have each NIC configured on different subnets,

JDMurray

Well, I'm a bit stumped. I use Cain on a computer with multiple Ethernet adapters on multiple subnets, including VMWare virtual adapters, and Cain can see and use all the adapters. When I en/disable adapters, or change their IP address, they change and dis/appear from Cain without needing to reboot. All Cain is doing is reading the list of enabled network adapters from Windows each time the Configuration Dialog box is displayed.

Why Cain would choose not to display an adapter when only its IP address is changed is a mystery to me. If it never displayed the adapter then I'd say that WinPcap doesn't support the adapter's driver, but you have the latest WinPcap (v.4.0.2) installed. The only thing I can think of is to install WinDump and run the WinDump -D command to see if the adapter is detected by WinPcap. I assume it will be.

aueddonline

i just checked the 'start sniffer on startup box' in the dialog box above and it's showing the IP address and mask now, I swear i had that box checked before with no change so don't know if that's what has done it

the ' windump -d' command is only showing listening on the wireless adapter so i might not be at the end of the tunnel yet.

thanks for your help JD, Appreciated

JDMurray

aueddonline wrote:

i just checked the 'start sniffer on startup box' in the dialog box above and it's showing the IP address and mask now, I swear i had that box checked before with no change so don't know if that's what has done it

That should have no effect. I select different network adapters all the time with the sniffer either on or off, and I've never seen a disappearing adapter before.

aueddonline wrote:

the ' windump -d' command is only showing listening on the wireless adapter so i might not be at the end of the tunnel yet.

That's a bad sign. Do you have the latest release of your adapter's driver installed?

aueddonline wrote:

thanks for your help JD, Appreciated

It's no problem at all; I love a good computer mystery!

aueddonline

hey I worked out what it was, i was just having trouble with the other client on the subnet as it couldn't ping the switch.

Both devices had the same IP

I know I'm bad, really bad

so what must have happened is the PC loaded up first before and started using the ip address first, stopping my laptop using it.

And the second time round the laptop got there first and C&A liked the interface, explains why changing the IP back to the 192 had it working again.

still having the 'windump -d' problem I have 4.0.2 installed because it came with wireshark i did download that before C&A, in programs I can only see the one version, I might re install C&A tomorrow and see what version it's using, check it's the new one.

On a brighter note i just did my first poison arp and sniffed the password the imaginary administrator was using to telnet to the switch

Happy days

JDMurray

Duplicate IPs was enough to prevent WinPcap from recognizing the adapter? That doesn't make sense to me at all. I just tried that on my own network and Cain still showed the adapter. Still, I'll be making a note of that in my long-term memory. Good detective work!