2. Packet Capturing
Computer software that can intercept and log traffic passing over a digital
network or part of a network is better known as packet sniffer.
The sniffer captures these packets by setting the NIC card in the
promiscuous mode and eventually decodes them.
In a network, promiscuous mode allows a network device to intercept and
read each network packet that arrives in its entirety.
It is a ultimate troubleshooting tool.
2
4. Packet Sniffer
Packet sniffer is a program running in a network attached device that
passively receives all data link layer frames passing through the device's
network adapter. It is also known as Network or Protocol Analyzer or
Ethernet Sniffer.
The packet sniffer captures the data that is addressed to other machines,
saving it for later analysis.
Packet sniffing is a passive technique, no one is attacking your computer
and investigating through files, most of the time, system administrator uses
packet sniffer to troubleshoot network problems.
4
5. Sniffing Methods
Sniffing method works in switched and non switched network.
Switched Networks
Non-Switched Networks
Sniffing Methods
IP Based Sniffing
MAC Based Sniffing
ARP Based Sniffing
5
6. Sniffing Methods (Cont.)
IP Based Sniffing
It works by putting the network card into promiscuous mode and sniffing all packets
matching the IP address filter. Normally, the IP address filter isn’t set so it can capture all
the packets. This method only works in non-switched networks.
MAC Based Sniffing
This method works by putting the network card into promiscuous mode and sniffing all
packets matching the MAC address filter.
ARP Based Sniffing
This method works a little different. It doesn’t put the network card into promiscuous
mode. This isn’t necessary because ARP packets will be sent to us. This happens because
the ARP protocol is stateless. Because of this, sniffing can be done on a switched network.
6
7. Why we use sniffers ?
Detection of clear-text username and passwords from the
network.
Network instruction detection in order to discover hackers.
Used to debug communication between a client and a
server.
Used to make network more secure- In order to come
through to your network, it must pass through the packet
sniffer..
Use to troubleshooting the network issues.
7
8. Capabilities of Sniffers
A sniffer program allows a user to watch all network
traffic over any network interfaces connected to the host
machine.
A sniffer program can watch TCP, IP, UDP, ICMP, ARP,
RARP.
A sniffer also lets you watch port specific traffic for
monitoring http, ftp, telnet, etc. traffic
8
9. Implementation
Create a raw socket.
Put it in a “recvfrom” loop and receive data on it.
A raw socket when put in “recvfrom” loop receives all incoming packets. This is
because it is not bound to a particular address or port.
sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_TCP);
while(1)
{
data_size = recvfrom(sock_raw , buffer , 65536 , 0 , &saddr , &saddr_size);
}
That's all. The buffer will hold the data sniffed or picked up. The sniffing part
is actually complete over here. The next task is to actually read the
captured packet, analyze it and present it to the user in a readable
format.
9
10. Detection Of Sniffers
The DNS Test
In this method, the detection tool itself is in promiscuous mode. We
create numerous fake TCP connections on our network segment,
expecting a poorly written sniffer to pick up on those connections and
resolve the IP addresses of the nonexistent hosts.
The ARP Test
• When a sniffer is suspected on a switched network a utility called
“arpwatch” is available. Using this utility allows one to monitor the ARP
cache of a machine to look for duplication for a machine.
• If this is so, alarms may be triggered which can lead to the detection of
sniffers.
10
11. Detection Of Sniffers (Cont.)
The Ping Test
• Uses the fact that if a ping request is sent with an IP address rather
than a MAC address it should not be seen by anyone on the
network since the MAC address will not find a match.
• Each Ethernet Adapter will reject the request.
• If there is a sniffer on the machine of the IP used there will be a
response because this machine doesn’t reject packets with a MAC
address of other destinations.
• An old method, no longer considered reliable.
11
12. Conclusion
Packet sniffers are a serious matter for network security.
A packet sniffer is not just a hacker’s tool. It can be used for network
troubleshooting and other useful purposes.
However, in the wrong hands, a packet sniffer can capture sensitive
personal information that can lead to invasion of privacy.
12