SB
Uploaded byShyama Bhuvanendran
PPTX, PDF3,177 views

Packet sniffing

Packet sniffing involves monitoring network traffic by capturing and analyzing data packets as they flow through a network interface. It can be performed using packet sniffers, which are programs that can intercept and read all network traffic passing through a device's network interface card or wireless adapter. While packet sniffers can be used for troubleshooting network issues, they can also be used maliciously by hackers to intercept sensitive information like usernames and passwords by using techniques like ARP spoofing to fool devices into thinking the hacker's machine has the IP address of another machine on the network. Network administrators can use tools to detect the presence of packet sniffers operating in promiscuous mode and monitor ARP caches for signs of spoofing.

Embed presentation

Downloaded 51 times
PACKET SNIFFING Shyama Bhuvanendran Sheela
Contents • What is packet sniffing? • Packet Sniffers • Network Interface Controller (NIC) • Monitoring Traffic • Sniffing Techniques • Address Resolution Protocol (ARP) • ARP Spoofing • Sniffer Detection
What is packet sniffing? • A method of monitoring each packet as it flows through the network. • A technique in which a user sniffs data belonging to other users of the network. LAN Machine A Machine DMachine CMachine B Sniffer
Packet Sniffer • Programs used to read packets that travel across the network layer. • Also referred to as a protocol analyzer, packet analyzer, network monitor or network analyzer. • Captures all of the packets of data that pass through a given network interface.  Types: 1. Commercial packet sniffers: used by network administrators to help maintain networks. 2. Underground packet sniffers: used by those folks who sniff sensitive information for personal gain.
Packet Sniffer  Some Uses: 1. Gather and report network statistics. 2. Solve communication problems. E.g. find out why computer A cannot communicate with computer B. 3. Analyze network performance. E.g. identify bottlenecks in the network. 4. Retrieve usernames and passwords of people logging onto the network. 5. Detect network intruders.
Packet Sniffer  Widely used packet sniffers: 1. dSniff 2. Wireshark 3. LanDetective 4. Microsoft Network Monitor 5. Capsa 6. tcpdump 7. SkyGrabber 8. Xplico
Network Interface Controller (NIC) • The hardware interface between a computer and a network. • The computer uses the NIC to connect to a router, which is connected to the internet.  NIC promiscuous mode: • By default, you cannot access network traffic on other computers. • The network packets have destination addresses and the network adapter ignores the packets not addressed to you. • Promiscuous mode turned on, adapter accepts all packets flowing within the network segment.
Monitoring Traffic  Hub-based Networks : • When a packet arrives, the hub simply retransmits it to its other ports. • Sufficient to turn on promiscuous mode to get access to all the network traffic.  Switch-based Networks : • Majority of local networks are switch-based. • Switch - maintains a table of MAC addresses and ports. • When a packet arrives, the switch validates the recipient’s MAC address in the table and selects the corresponding port to route the packet. • Thus prevents other packets from coming to your network segment.
Monitoring Traffic • ARP spoofing • MAC flooding • MAC Duplicating Switch Attacker Victim Victim • ICMP redirection • DHCP spoofing • Port stealing  Sniffing Techniques
 MAC Flooding: • Switches maintain a ‘MAC table’. • MAC Table has MAC addresses of the host computers on the network which are connected to ports of the switch. • AIM: Take down this MAC table. • Attacker sends Ethernet frames to the switch in huge number. • Thus flooding the switch memory used to store MAC table. • Forcing MAC addresses of legitimate users to be pushed out. • Switch now enters into a fail-open mode and behaves like a hub. Sniffing Techniques
Address Resolution Protocol (ARP) • To map logical address (IP addresses) to physical address (MAC address) in a LAN. • Physical address Known within LAN • Logical address Known outside of LAN • “ARP is a stateless protocol that does not require authentication, so a simple ARP reply packet sent to each host will force an update in their ARP cache.” Broadcast Domain Host A Host D Host CHost B Initiates ARP Request ARP Request ARP RequestARP Request ARP Reply ARP Reply
• Each host maintains a mapping table of MAC/IP address pairs. • E.g. Host A wants the MAC address corresponding to an IP address. • Host A sends a broadcast ARP request. • All computers in the network compares the received IP address with its own IP address. • Host B, which has the requested IP address, sends a unicast reply with its MAC address. • Host A updates its ARP cache. • Updates ARP cache without any authentication - WEAKNESS Address Resolution Protocol (ARP)
ARP Spoofing • Nothing prevents other computers from replying to the ARP request. • Attacker sends “fake” ARP messages. • Thus mapping attacker’s MAC address with another victim’s IP address. • All packets sent to the victim will now be directed to the attacker.  Steps: 1. Switch Attacker Z Victim B Victim A Requests MAC address Requests MAC address
ARP Spoofing 2. 3 3. Attacker Now Has IP address and MAC of the victims. Attacker Z Victim B Victim A Switch Sends Z’s MAC address and B’s IP address Sends Z’s MAC address and A’s IP address
ARP Spoofing 4. 5. Attacker Z Victim A AND Victim B Updates their ARP cache Has access to all A’s and B’s packets IP Addresses MAC Addresses B’s IP Address Z’s MAC Address Z’s IP Address Z’s MAC Address A’s ARP Cache IP Addresses MAC Addresses A’s IP Address Z’s MAC Address Z’s IP Address Z’s MAC Address B’s ARP Cache
ARP Spoofing  ARP Cache Re-poisoning: • Attacker needs to re-poison the cache on a regular basis. • OS refreshes ARP cache frequently.
Sniffer Detection • Difficult in non-switched environments as the sniffers are usually ‘passive’. • Easier in switched environments as they are usually ‘active’. • Detecting machines running on promiscuous mode: • Generate packets that do not have valid addresses and send them out. If a machine accepts the packet, it is running a sniffer. • Monitor ARP cache to see if there is a duplication for a machine. • Commercial tools like AntiSniff, Neped, ARP Watch and Snort can non - intrusively detect sniffers.
References • ‘Packet sniffing: a brief introduction’ http://ieeexplore.ieee.org.ezproxy.gsu.edu/document/1166620/?reload=true • ‘Detection of ARP Spoofing: A command line execution method’ http://ieeexplore.ieee.org.ezproxy.gsu.edu/document/6828085/ • https://landetective.com/products/internet-monitor/manual/traffic-analysis.html Date visited - Nov 28, 2017. • ‘A Security Framework against ARP Spoofing’ http://ieeexplore.ieee.org.ezproxy.gsu.edu/stamp/stamp.jsp?arnumber=7359227 • https://www.ukessays.com/essays/information-technology/the-history-of- packet-sniffing-information-technology-essay.php Date visited - Dec 10, 2017. • http://www.omnisecu.com/ccna-security/dhcp-starvation-attacks-and-dhcp- spoofing-attacks.php Date visited - Dec 10, 2017
THANK YOU

More Related Content

PPT
Arp spoofing
byLuthfi Widyanto
 
PPTX
Packet sniffers
byKunal Thakur
 
PPTX
IP Spoofing
byAkmal Hussain
 
PPTX
Ethical Hacking - sniffing
byBhavya Chawla
 
PPTX
ARP Spoofing.pptx
byUsamaAliLone3
 
PPTX
Password sniffing
bySRIMCA
 
PPTX
Man in the middle attack .pptx
byPradeepKumar728006
 
PPTX
Man in the middle
byAhmadThaqifAimanAhma
 
Arp spoofing
byLuthfi Widyanto
 
Packet sniffers
byKunal Thakur
 
IP Spoofing
byAkmal Hussain
 
Ethical Hacking - sniffing
byBhavya Chawla
 
ARP Spoofing.pptx
byUsamaAliLone3
 
Password sniffing
bySRIMCA
 
Man in the middle attack .pptx
byPradeepKumar728006
 
Man in the middle
byAhmadThaqifAimanAhma
 

What's hot

PPTX
Cia security model
byImran Ahmed
 
PPT
DDoS Attack PPT by Nitin Bisht
byNitin Bisht
 
PPTX
Ethical hacking - Footprinting.pptx
byNargis Parveen
 
PPT
Packet Sniffing
byguestfa1226
 
PPTX
Understanding NMAP
byPhannarith Ou, G-CISO
 
PPT
IDS and IPS
bySantosh Khadsare
 
PPTX
PHISHING DETECTION
byumme ayesha
 
PPTX
Intrusion detection and prevention system
byNikhil Raj
 
PPTX
What is Penetration Testing?
bybtpsec
 
PPTX
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
PPTX
Denial of service
bygarishma bhatia
 
PPT
Proxy servers
byKumar
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PPTX
Packet sniffers
byRavi Teja Reddy
 
PPTX
E-mail Investigation
byedwardbel
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
PPTX
Dhcp ppt
byHema Dhariwal
 
PPTX
Wireshark
bySourav Roy
 
PPT
Port Scanning
byamiable_indian
 
Cia security model
byImran Ahmed
 
DDoS Attack PPT by Nitin Bisht
byNitin Bisht
 
Ethical hacking - Footprinting.pptx
byNargis Parveen
 
Packet Sniffing
byguestfa1226
 
Understanding NMAP
byPhannarith Ou, G-CISO
 
IDS and IPS
bySantosh Khadsare
 
PHISHING DETECTION
byumme ayesha
 
Intrusion detection and prevention system
byNikhil Raj
 
What is Penetration Testing?
bybtpsec
 
Introduction To Exploitation & Metasploit
byRaghav Bisht
 
Denial of service
bygarishma bhatia
 
Proxy servers
byKumar
 
Malware analysis
byPrakashchand Suthar
 
Packet sniffers
byRavi Teja Reddy
 
E-mail Investigation
byedwardbel
 
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
Dhcp ppt
byHema Dhariwal
 
Wireshark
bySourav Roy
 
Port Scanning
byamiable_indian
 

Similar to Packet sniffing

PDF
Ceh v5 module 07 sniffers
byVi Tính Hoàng Nam
 
PPTX
Packet sniffing in switched LANs
byIshraq Al Fataftah
 
PPT
Module 5 Sniffers
byleminhvuong
 
PDF
Arp Cache Poisoning
bySubhash Kumar Singh
 
PDF
Sniffing via dsniff
byKshitij Tayal
 
PPTX
Slides on Security issues in TCP/IP Clear explanation
bydkesavaraja
 
PPTX
packet sniffing with Wireshark and its implementation.pptx
byRohitAhuja58
 
PPTX
Packet capturing
byPankajSingh1035
 
PPTX
SNIFFING ATTACKS.pptx nnnnnnnnnnnnnnnnnn
bypra56kum61
 
PPT
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
PPT
CO2-Sniffing Types,MITM,ARP Explained Detail
byayushkr0457
 
PDF
04-post-connection-attacks.pdf
byxasako1838
 
PPTX
Wiretapping
byMr Cracker
 
PPTX
Packet sniffing in LAN
byArpit Suthar
 
PPTX
Packet sniffingin switch lans
byEncarnación Marín Caballero
 
PPT
6005679.ppt
byAlmaOraevi
 
PPTX
Et4045-3-attacks-2
byTutun Juhana
 
PDF
An Approach to Detect Packets Using Packet Sniffing
byijcses
 
PPTX
Network security
byVenkat Karanam
 
PDF
TH3 Professional Developper CEH sniffers
byth3prodevelopper
 
Ceh v5 module 07 sniffers
byVi Tính Hoàng Nam
 
Packet sniffing in switched LANs
byIshraq Al Fataftah
 
Module 5 Sniffers
byleminhvuong
 
Arp Cache Poisoning
bySubhash Kumar Singh
 
Sniffing via dsniff
byKshitij Tayal
 
Slides on Security issues in TCP/IP Clear explanation
bydkesavaraja
 
packet sniffing with Wireshark and its implementation.pptx
byRohitAhuja58
 
Packet capturing
byPankajSingh1035
 
SNIFFING ATTACKS.pptx nnnnnnnnnnnnnnnnnn
bypra56kum61
 
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
CO2-Sniffing Types,MITM,ARP Explained Detail
byayushkr0457
 
04-post-connection-attacks.pdf
byxasako1838
 
Wiretapping
byMr Cracker
 
Packet sniffing in LAN
byArpit Suthar
 
Packet sniffingin switch lans
byEncarnación Marín Caballero
 
6005679.ppt
byAlmaOraevi
 
Et4045-3-attacks-2
byTutun Juhana
 
An Approach to Detect Packets Using Packet Sniffing
byijcses
 
Network security
byVenkat Karanam
 
TH3 Professional Developper CEH sniffers
byth3prodevelopper
 

Recently uploaded

PDF
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
PDF
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
PDF
Modernize everything Microsoft session.pdf
byjeyfox1
 
PDF
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
PDF
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
DOCX
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
PDF
How to Verify Someone from Dating or Marketplace Apps
bySocial Searcher
 
PDF
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
PDF
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
PPTX
Victoria University Transcripts
byvgki5qphpa
 
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
Modernize everything Microsoft session.pdf
byjeyfox1
 
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
How to Verify Someone from Dating or Marketplace Apps
bySocial Searcher
 
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
Victoria University Transcripts
byvgki5qphpa
 

Packet sniffing

  • 1.
  • 2.
    Contents • What ispacket sniffing? • Packet Sniffers • Network Interface Controller (NIC) • Monitoring Traffic • Sniffing Techniques • Address Resolution Protocol (ARP) • ARP Spoofing • Sniffer Detection
  • 3.
    What is packetsniffing? • A method of monitoring each packet as it flows through the network. • A technique in which a user sniffs data belonging to other users of the network. LAN Machine A Machine DMachine CMachine B Sniffer
  • 4.
    Packet Sniffer • Programsused to read packets that travel across the network layer. • Also referred to as a protocol analyzer, packet analyzer, network monitor or network analyzer. • Captures all of the packets of data that pass through a given network interface.  Types: 1. Commercial packet sniffers: used by network administrators to help maintain networks. 2. Underground packet sniffers: used by those folks who sniff sensitive information for personal gain.
  • 5.
    Packet Sniffer  SomeUses: 1. Gather and report network statistics. 2. Solve communication problems. E.g. find out why computer A cannot communicate with computer B. 3. Analyze network performance. E.g. identify bottlenecks in the network. 4. Retrieve usernames and passwords of people logging onto the network. 5. Detect network intruders.
  • 6.
    Packet Sniffer  Widelyused packet sniffers: 1. dSniff 2. Wireshark 3. LanDetective 4. Microsoft Network Monitor 5. Capsa 6. tcpdump 7. SkyGrabber 8. Xplico
  • 7.
    Network Interface Controller(NIC) • The hardware interface between a computer and a network. • The computer uses the NIC to connect to a router, which is connected to the internet.  NIC promiscuous mode: • By default, you cannot access network traffic on other computers. • The network packets have destination addresses and the network adapter ignores the packets not addressed to you. • Promiscuous mode turned on, adapter accepts all packets flowing within the network segment.
  • 8.
    Monitoring Traffic  Hub-basedNetworks : • When a packet arrives, the hub simply retransmits it to its other ports. • Sufficient to turn on promiscuous mode to get access to all the network traffic.  Switch-based Networks : • Majority of local networks are switch-based. • Switch - maintains a table of MAC addresses and ports. • When a packet arrives, the switch validates the recipient’s MAC address in the table and selects the corresponding port to route the packet. • Thus prevents other packets from coming to your network segment.
  • 9.
    Monitoring Traffic • ARPspoofing • MAC flooding • MAC Duplicating Switch Attacker Victim Victim • ICMP redirection • DHCP spoofing • Port stealing  Sniffing Techniques
  • 10.
     MAC Flooding: •Switches maintain a ‘MAC table’. • MAC Table has MAC addresses of the host computers on the network which are connected to ports of the switch. • AIM: Take down this MAC table. • Attacker sends Ethernet frames to the switch in huge number. • Thus flooding the switch memory used to store MAC table. • Forcing MAC addresses of legitimate users to be pushed out. • Switch now enters into a fail-open mode and behaves like a hub. Sniffing Techniques
  • 11.
    Address Resolution Protocol(ARP) • To map logical address (IP addresses) to physical address (MAC address) in a LAN. • Physical address Known within LAN • Logical address Known outside of LAN • “ARP is a stateless protocol that does not require authentication, so a simple ARP reply packet sent to each host will force an update in their ARP cache.” Broadcast Domain Host A Host D Host CHost B Initiates ARP Request ARP Request ARP RequestARP Request ARP Reply ARP Reply
  • 12.
    • Each hostmaintains a mapping table of MAC/IP address pairs. • E.g. Host A wants the MAC address corresponding to an IP address. • Host A sends a broadcast ARP request. • All computers in the network compares the received IP address with its own IP address. • Host B, which has the requested IP address, sends a unicast reply with its MAC address. • Host A updates its ARP cache. • Updates ARP cache without any authentication - WEAKNESS Address Resolution Protocol (ARP)
  • 13.
    ARP Spoofing • Nothingprevents other computers from replying to the ARP request. • Attacker sends “fake” ARP messages. • Thus mapping attacker’s MAC address with another victim’s IP address. • All packets sent to the victim will now be directed to the attacker.  Steps: 1. Switch Attacker Z Victim B Victim A Requests MAC address Requests MAC address
  • 14.
    ARP Spoofing 2. 3 3. Attacker NowHas IP address and MAC of the victims. Attacker Z Victim B Victim A Switch Sends Z’s MAC address and B’s IP address Sends Z’s MAC address and A’s IP address
  • 15.
    ARP Spoofing 4. 5. Attacker Z VictimA AND Victim B Updates their ARP cache Has access to all A’s and B’s packets IP Addresses MAC Addresses B’s IP Address Z’s MAC Address Z’s IP Address Z’s MAC Address A’s ARP Cache IP Addresses MAC Addresses A’s IP Address Z’s MAC Address Z’s IP Address Z’s MAC Address B’s ARP Cache
  • 16.
    ARP Spoofing  ARPCache Re-poisoning: • Attacker needs to re-poison the cache on a regular basis. • OS refreshes ARP cache frequently.
  • 17.
    Sniffer Detection • Difficultin non-switched environments as the sniffers are usually ‘passive’. • Easier in switched environments as they are usually ‘active’. • Detecting machines running on promiscuous mode: • Generate packets that do not have valid addresses and send them out. If a machine accepts the packet, it is running a sniffer. • Monitor ARP cache to see if there is a duplication for a machine. • Commercial tools like AntiSniff, Neped, ARP Watch and Snort can non - intrusively detect sniffers.
  • 18.
    References • ‘Packet sniffing:a brief introduction’ http://ieeexplore.ieee.org.ezproxy.gsu.edu/document/1166620/?reload=true • ‘Detection of ARP Spoofing: A command line execution method’ http://ieeexplore.ieee.org.ezproxy.gsu.edu/document/6828085/ • https://landetective.com/products/internet-monitor/manual/traffic-analysis.html Date visited - Nov 28, 2017. • ‘A Security Framework against ARP Spoofing’ http://ieeexplore.ieee.org.ezproxy.gsu.edu/stamp/stamp.jsp?arnumber=7359227 • https://www.ukessays.com/essays/information-technology/the-history-of- packet-sniffing-information-technology-essay.php Date visited - Dec 10, 2017. • http://www.omnisecu.com/ccna-security/dhcp-starvation-attacks-and-dhcp- spoofing-attacks.php Date visited - Dec 10, 2017
  • 19.