Scenario

In this scenario we are assuming a SME has a Network Cabinet and

for some reason possibly due to so little devices participating on their network they
only have 1 Switch but 2 Routers are mysteriously required to suit their needs. This
hypothetical SME is not an IT company and we can assume some guy set up their
network which also features a few Computers and IP Phones. All network
equipment is in the same insecure cabinet and the SMEs manager is reportedly
treating an employee with discontempt (almost as if they know theyve been talking
about them behind their back). On inspection of the cabinet and the network
documentation we have discovered a rogue hub has been discretely added to the
network and the topology now resembles the following;

Equipment Breakdown (All included in the above topology)

2 x Router
1 x Switch
2 x IP Phone
1 x PC
Task - Capturing and playing back a phone conversation
The Lab has been setup to match the above topology. Essentially we are
investigating what process the manager used to find out he was being talked about.
On the only pictured PC in the above topology we are going to use Wireshark to
capture RTP (Real-time Transport Protocol) Streams which will ultimately let us
playback conversations made between both IP telephones.

1. Open Wireshark and under the Capture menu select Capture Filters...

2. Ensure that we are capturing data using the actual physical network card and
not one associated with any virtual machines. Ensure Enable promiscuous
mode on all interfaces is checked and then click on Start

We are now listening to all Network Communications on the network card, well
know this is the case as the window below fills with captured packets.

3. Wireshark would need to be running whilst a telephone conversation was

taking place on the network so that it could be captured. To simulate this
youll have to make a conversation between both IP phones in the lab.
4. After completing your phone call go back to Wireshark and under the
Capture menu click on Stop which stops Wireshark from capturing any more
packets.

5. You then need to find a packet from the many you have captured which has
been sent from one IP phone to the other. Last week the assigned IP
addresses to the phones were 192.168.1.2 and 192.168.1.3 however these
may have changed. You can check an IP phones address by using the
phones menu.
6. Once you have found a suitable UDP packet sent between both IP phones
right click on it and select Decode As...

7. Currently our UDP packet has not been decoded into any other format but if
we click on the drop-down list in the Current column we can choose to
decode the packet as an RTP Packet. After selecting RTP from the dropdown list click OK.

8. Now Wireshark views our packet as an RTP packet (evidence of this is in the
example below as the bottom packet has changed to an RTP Packet). With
that the case go into the Telephony menu and under RTP select Stream
Analysis.

9. The Stream Analysis dialogue box opens from here select Play Streams

10. Finally pressing the Play button here will play back your likely inappropriate,
captured conversation.

DONE!
Questions to consider....
1. In this exercise we were capturing Packets as opposed to Frames using
Wireshark. How do we know thats the case?
2. Eavesdropping on the network here contravenes which law(s), if any?
3. What basic levels of security could we introduce to prevent this from
happening?