Networking | Programming | Security | Linux | Computer Science | About

An Overview of Network Sniffers

A sniffer is a program or device that monitors data traveling over a network. Sniffers can be used for legitimate activities, such as network management, or for illegitimate activities, like stealing information found on a net- work. A variety of different types of sniffers are available, including commercial and open-source variations.

Some of the simplest types use a command-line interface to dump captured data onto the screen, while more sophisticated types use a graphical user interface (GUI), can graph traffic statistics, track multiple sessions, and offer different configuration options. Network utilization and monitoring programs often use sniffers to gather data for metrics and analysis. Generally, sniffers do not intercept or alter captured data.

The objective of sniffing is to steal the following:

How Does a Sniffer Work?

The most common way of networking computers is through Ethernet. A computer connected to the LAN has two addresses. One is the Media Access Control (MAC) address that uniquely identifies each node in a local area network (LAN) and is stored on the network card itself. The MAC address is used by the Ethernet protocol while building frames to transfer data to and from a system. The other is the Internet Protocol (IP) address. This numerical address is used to transfer data through routers and across multiple networks or wide area networks (WANs) using the Internet Protocol. The data link layer uses an Ethernet header with the MAC address of the destination machine rather than the IP address. The network layer is responsible for mapping IP network addresses to MAC addresses, as required by the data link protocols. It initially looks for the MAC address of the destination machine in a table, usually called the ARP cache. Address Resolution Protocol (ARP) is an Internet protocol used to map IP addresses to MAC addresses. If no entry is found for the IP address, an ARP broadcast of a request packet goes out to all machines on the local subnetwork. The machine with that particular address responds to the source machine with its MAC address. This MAC address then gets added to the source machine’s ARP cache. The source machine, in all its communications with the destination machine, then uses this MAC address.

There are two basic types of Ethernet environments, and sniffers work slightly differently in both these environments. The following are the two types of Ethernet environments:

Though a switch is more secure than a hub, sniffing the network is possible using the following methods:

Types of Sniffing

Passive Sniffing

In passive sniffing, as a sniffer gathers packets at the data link layer, it can potentially grab all the packets on the LAN of the machine running the sniffer program. This is because a network with a hub implements a broadcast medium shared by all systems on the LAN. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. If an attacker runs a sniffer on one system on the LAN, he or she can gather data sent to and from any other system on the LAN. The majority of sniffer tools are ideally suited to sniff data in a hub environment. These tools are called passive sniffers because they passively wait for the data to be sent before capturing it. These sniffers are efficient at silently gathering data from the LAN.

In passive sniffing, the intruder gets access to the network by any of the following methods:

Trojan software can be used as a carrier to install sniffers on the target machine. For instance, the Back Orifice server has a plug-in known as Butt Trumpet that will e-mail the attacker after installation of the server. Once the attacker recognizes that the victim’s system has been compromised, he or she can then install a packet sniffer and use it to sniff the network.

Active Sniffing

A countermeasure against passive sniffing is to replace the network hub with a switch. Unlike a hub-based network, switched Ethernet does not broadcast all information (other than an actual broadcast or multicast packet) to all systems on the LAN. The switch regulates the flow of data between its ports by actively monitor- ing the MAC address on each port, which helps it to pass data only to its intended target.

The switch, thereby, limits the data that a passive sniffer can gather. If there is a passive sniffer activated on a switched LAN, the sniffer will only be able to see data going to and from the machine on which the sniffer is installed.

Switched networks have been developed to accomplish the necessity of more bandwidth, not for the neces- sity of secure networks. Since the evolution was not driven by security needs, there are ways to circumvent this network posture and sniff traffic.

So, how does an attacker sniff on a switched LAN? The sniffers for a switched LAN actively inject traffic into the LAN to enable sniffing of the traffic. This is what is known as active sniffing. Some of the methods used in this attack include the following:

Protocols Vulnerable to Sniffing

The following are some protocols that are vulnerable to sniffing.

Published on Mon 03 February 2014 by Randy Nugent in Security with tag(s): network sniffer