A packet sniffer is a program or device that allows monitoring and capturing of data that is transferred between two computers over a network. The name is derived from how data is transferred over the network, either TCP or UDP, which is in the form of structured blocks of bytes called ‘packets’.
Packet sniffers are usually attached to a network interfaces at a very low level (layer 4 of the OSI model). This computer can be a workstation or a gateway that routes network data between workstations. The sniffer is capable of receiving a copy of every packet transmitted through the attached network interface regardless of socket type, (TCP/UDP) port number and protocol.
Differences with Network Monitoring Tools
A network monitoring tool is usually employed for measurement traffic volumes and to break down data in the form of specific resources accessed (e.g. remote hosts, local services, etc.) and the frequency of access. A packet sniffer, on the other hand, is used to access the actual information that is exchanged between resources.
A network monitoring tool usually behaves as a direct intermediary in the traffic flow path. In this mode, the tool behaves as a proxy that receives incoming data on specific ports and then forwards data to intended destinations. The other option is to attach to specific edge servers (e.g. mail server, proxy server) and have access to content flowing through those servers.
In contrast, network sniffers are less invasive and more transparent. Capturing is performed at the hardware level rather than at the transport or even the application level.
Having said that, most advanced network security tools usually incorporate aspects of packet sniffing to identify the presence of malicious code or content on the local network.
Uses of Packet Sniffers
The general tendency is to associate packet sniffers with hacking because of its ‘stealth mode’ capabilities and a history of utilizing them for unethical purposes. Some of the constructive ways packet sniffing can be used includes:
- Monitoring traffic for specific protocols, ports and end-systems for transfer times and protocol specific analysis. Such packet sniffers are usually tools related to debugging, testing and profiling for specific application scenarios.
- Monitoring TCP/UDP packet content for signatures that usually indicate the exchange of malicious code (e.g. trojans, back doors and other malware). Such packet sniffers are usually tools related to security and protection.
For both the scenarios above, a packet sniffer operates in one of the following two modes:
- Unfiltered: In this mode, each and every packet that is transferred over the network interface is captured. This mode is used more often in scenarios where the analysis is restricted to individual packets of data transfer (e.g. detection of malicious intent, volume-based attacks, etc.)
- Filtered: In this mode, only packets that contain specific data elements are captured. This is used more often in scenarios where a chain of packets are sequenced and merged to derive the application/protocol level communication between two systems. A good example is the reconstruction of an email message body from multiple TCP/UDP packets.
Wireshark (formerly Ethereal) is the most popular open-source multi-platform network protocol analyzer. It allows examination of live network data, interactive browsing of captured data and reconstructing a data stream of a TCP session. It also supports hundreds of protocols and media types.
Ettercap is a suite for man-in-the-middle attacks on a LAN. It features sniffing of live connections, content filtering on-the-fly, active and passive dissection of protocols (even ciphered ones).
Network Topology and Sniffing
Traditionally, a hub-based network is more amenable to network sniffing than a switched network. For traffic originating from a given machine, the hub broadcasts a copy each packet to all machines connected to the hub. This allows, for example, a sniffer on machine C to capture all traffic flowing between machines A and B.
A switched network, on the other hand, receives the packets directly from the computers where it originates and then sends the packets directly to the machine to which it is assigned. Packet sniffing can still occur, but it is limited to the machines where the traffic originates.
Techniques still exist to compromise a switched network that allows for packet sniffing from arbitrary machines on the network:
- ARP Spoofing
This is a technique that sends fake Address Resolution Protocol (ARP) messages on the local network. This causes the attacker machine’s MAC address (let’s call this machine B) with the target machine’s IP address (let’s call this machine A). All traffic going to machine A therefore gets routed to machine B. If machine A is the gateway for the local network, effectively all traffic for the network gets routed to the attacker machine. The attacker must in turn forward all received packets to the gateway. This ensures that the normal flow of traffic does not get affected and the attacker remains undetected.
- MAC Flooding
The switch maintains a MAC table that maps MAC addresses of network cards to the physical LAN sockets where they are connected. In this type of attack, a very large number of Ethernet frames are fed to the switch and each frame has a different source MAC address. This causes the MAC table to run out of space. The switch then runs in “fail open” mode and starts behaving like a hub. Thereafter, the packet sniffer can start capturing packets exchanged between different machines on the network.
Protection against Packet Sniffing
- Avoid Public Networks
A public network, like the ones available at airports and coffee shops, are the ones least likely to take sufficient measures to safeguard against packet sniffing. One should avoid sending sensitive content like bank passwords, PIN numbers, even regular credentials for email and social sites over these networks.
- Content Encryption
Wherever possible, encrypt data sent over public networks. The most common form of encryption is HTTP over SSL (or HTTPS). However, not all sites allow you to connect over HTTPS. In such cases, consider opening a VPN connection to a private network (e.g. an office network) and continue browsing the Web or sending email.
Packet sniffing is an extremely powerful tool to monitor the health of your organization’s network and serve as one of the tools to diagnose issues therein. Having said that, this technology can prove to be extremely disruptive and malicious if it lands in the wrong hands. Packet sniffing has a long history of being associated with hacking. Continuous improvements in networking technology have reduced many of the risks associated with sniffers on private networks. Users should take enough precaution to protect their data against such attacks while on public networks.