Copy Link
Add to Bookmark
Report
Intro to Packet Sniffers: What They Are and Why to use Them
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
-= Intro to Packet Sniffers: What They Are and Why to use Them =-
-= By Grifter =-
-= grifter@hektik.org =-
-= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
� What is Packet Sniffing?
The best way I can think of to describe packet sniffing is that it is basically a computer
wire tap. When someone is sniffing a network, they are reading the packets that are
traveling across a network. Everything you do online sends packets of information over
phone lines or cables and through or past other machines on it's way to its destination.
The computers between you and the destination can read the information that you send as
it passes by; packet sniffers make this possible.
Each packet contains a block of data ranging in size from 512 bytes to 4k, and a header
block that will contain the information about the packet like its destination and origin
addresses. The data part of the packet contains the information being sent on the network,
like e-mail, web pages, logins and passwords, e-commerce information including credit card
numbers, and all kinds of other goodies.
Under normal circumstances network cards will check the packet to see if it's for them and
if it's not they'll ignore it and let it pass on to the next machine. In the case of
internet routing, the machines will check the packet's final destination and choose where
to pass the packet onto next. However, ethernet cards typically have a "promiscuous-mode"
option, which will turn off the filter and cause them to look at all packets as they go by.
Setting your NIC to promiscuous mode is what packet sniffing programs take advantage of to
do their dirty work.
Firewalls can't prevent packet sniffing, and Virtual Private Networks and Encryption can't
do anything either, except maybe make the attackers job a little more difficult. Keep in
mind that many passwords are sent over the net unencrypted, and in some cases even when
they are this won't foil a packet sniffer intent on breaking into a system. An intruder
looking for a login sequence and sniffing an encrypted password will have no need to
decrypt the password for their own use and can just relay the encrypted version for
unauthorized access.
� What should you use?
There are a ridiculous amount of packet sniffers out there and it will basically be up to
you to decide which one you want to use, and what works best for you. Personally I like
"Etherpeek" by WildPackets. It's offered in versions for Windows and Macs, and has good
features like web monitoring and analysis. Only problem is it's going to cost you, but
you can always try out the trial version. If you're looking for something free or
something you might already have try these:
tcpdump
tcpdump is a free network packet analysis tool. The advantage that tcpdump has is that
it is entirely command line based, so it runs nicely in a remote telnet session. When
compiled, the binary is self-contained so it can be easily sent to a remote machine and
executed. You won't need to install special device drivers or other software. The fact
that it's free doesn't hurt either, this way, let's say you capture a packet trace and
the send it over to a friend running on a different platform, once your friend compiles
it for his machine he can read your trace.
netmon
Microsoft includes a packet-tracing tool with the Windows NT Server CD-ROM and with the
System Management Software (SMS) CD-ROM called Network Monitor (a k a netmon). It's made
up of two parts: an agent, and the actual tool. They both have to be installed in order
to work. The thing about netmon though is that it can't be used with a telnet window.
Installing the Network Monitor agent and tools on a Windows NT 4.0 Workstation. There
are two distinct versions of netmon, neither of which are freely available like tcpdump.
The version included with the Windows NT 4.0 Server CD-ROM allows only for viewing packets
sent to and from the local machine. The version included with the SMS CD-ROM enables the
network interface to be put into promiscuous mode where all packets on the shared media
can be seen. Both versions can also be run locally on Windows NT Workstations and on
Windows 9x clients as long as the Network Monitor agent has been installed.
� How to Sniff
Most packet sniffers will set your NIC card to promiscuous mode when you select it and
start a session. If there is network traffic then you should start to see results right
away. The actual task of sniffing is relatively easy and shouldn't take long to figure
out so I won't go into detail on it. However translating the data into something that you
can understand is the tricky part. I recommend that you have a solid knowledge of
networking and TCP/IP, and also aren't very scared of Hex.
The software to capture the packets will normally write them to a text file on the
device, this way you can come and read the file later to see what you've got. The
software can be set to only log certain contents, like packets containing the word
"password" or any packets that look like email. This will keep the size of your log file
down and helps lessen the chance that someone will notice the sniffer. But it does mean
that you're relying on the program to find the good stuff, so you run the risk of missing
something you may have liked.
That should cover the basics, now you know what packet sniffing is, what programs to use,
and that it doesn't take a genius to get started. There are other types of sniffing that
can be used, like specifically looking for logins and credit card numbers, but that goes
beyond the scope of my ethics so you'll have to look somewhere else if that's what you're
interested in. I hope this taught you something, if anything it was fun to write.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
� 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
