Packet sniffing is the act of capturing packets of data flowing across a computer network. The software or device used to do this is called a packet sniffer.
Packet sniffing is to computer networks what wiretapping is to a telephone network.
Packet sniffing has legitimate uses to monitor network performance or troubleshoot problems with network communications.
However, it is also widely used by hackers and crackers to gather information illegally about networks they intend to break into.
Using a packet sniffer it is possible to capture data like passwords, IP addresses, protocols being used on the network and other information that will help the attacker infiltrate the network.
All network data travels across the Internet, and then into and out of PC's, in the form of individual, variable size data packets.
Since the typical PC user never "sees" any of this raw data, many spyware systems covertly send sensitive information out of the user's computer without their knowledge.
A "Packet Sniffer" is a utility that sniffs without modifying the network's packets in any way.
By comparison, a firewall sees all of a computer's packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. Packet sniffers merely watch, display, and log this traffic.
One disturbingly powerful aspect of packet sniffers is their ability to place the hosting machine's network adapter into "promiscuous mode."
Network adapters running in promiscuous mode receive not only the data directed to the machine hosting the sniffing software, but also all of the traffic on the physically connected local network.
Unfortunately, this capability allows packet sniffers to be used as potent spying tools, this is obviously not an activity that is on the good side.
Today's networks are increasingly employing "switch" technology, preventing this technique from being as successful as in the past.
It is still useful, though, as it is becoming increasingly easy to install mote sniffing programs on servers and routers, through which a lot of traffic flows.
Today's networks may already contain built-in sniffing modules. Most hubs support the RMON standard, which allow the intruder to sniff remotely using SNMP, which has weak authentication.
Many corporations employ Network Associates "Distributed Sniffer Servers", which are set up with easy to guess passwords. Windows NT machines often have a "Network Monitoring Agent" installed, which again allows for remote sniffing.
How do Packet Sniffers Work?
- Packet sniffers work by intercepting and logging network traffic that they can 'see' via the wired or wireless network interface that the packet sniffing software has access to on its host computer.
- On a wired network, what can be captured depends on the structure of the network.
- A packet sniffer might be able to see traffic on an entire network or only a certain segment of it, depending on how the network switches are configured, placed, etc.
- On wireless networks, packet sniffers can usually only capture one channel at a time unless the host computer has multiple wireless interfaces that allow for multichannel capture.
- Once the raw packet data is captured, the packet sniffing software must analyze it and present it in human-readable form so that the person using the packet sniffing software can make sense of it.
- The person analyzing the data can view details of the 'conversation' happening between two or more nodes on the network.
- Network technicians can use this information to determine where a fault lies, such as determining which device failed to respond to a network request.
- Hackers can use sniffers to eavesdrop on unencrypted data in the packets to see what information is being exchanged between two parties.
- They can also capture information such as passwords and authentication tokens (if they are sent in the clear).
- Hackers can also capture packets for later playback in replay, man-in-the-middle, and packet injection attacks that some systems may be vulnerable to.
What Software Tools are Commonly Used in Packet Sniffing?
- Just like everybody else, both network engineers and hackers love free stuff, which is why open source and freeware sniffer software applications are often the tools of choice for packet sniffing tasks. One of the more popular open source offerings is: Wireshark (previously known as Ethereal).
How can I protect my Network and its Data from Hackers Using Sniffers?
- If you’re a network technician or administrator and you want to see if anyone on your network is using a sniffer tool, check out a tool called Anti sniff. Antisniff can detect if a network interface on your network has been put into 'promiscuous mode' (don't laugh that's the actual name for it), which is the required mode for packet capture tasks.
- Another way to protect your network traffic from being sniffed is to use encryption such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
- Encryption doesn't prevent packet sniffers from seeing source and destination information, but it does encrypt the data packet's payload so that all the sniffer sees is encrypted gibberish.
- Any attempt to modify or inject data into the packets would likely fail since messing with the encrypted data would cause errors that would be evident when the encrypted information was decrypted at the other end.
- Sniffers are great tools for diagnosing down-in-the-weeds network problems. Unfortunately, they are also useful for hacking purposes as well. It's important for security professionals to familiarize themselves with these tools so they can see how a hacker might use them against their network.