What Sniffer Attack?
How Does a Sniffer Work?
sniffer attack example
A sniffer is an application that can capture network
packets. Sniffers are also known as network protocol analizers. While
protocol analyzers are really network troubleshooting tools, they are
also used by hackers for hacking network. If the network packets are not
encrypted, the data within the network packet can be read using a
sniffer
How Does a Sniffer Work?
Before we can explore how a sniffer operates, it may be
helpful to examine what enables the tool to work. During normal tasks
such as Web surfing and messaging, computers are constantly
communicating with other machines. (For an introduction to the way that
the Internet and networking works, please see the SecurityFocus article A Beginner’s Guide to the Internet.)
Obviously, a user should be able to see all the traffic traveling to or
from their machine.
Most PCs, however, are on a Local Area Network
(LAN), meaning they share a connection with several other computers. If
the network is not switched (a switch is a device that filters and
forwards packets between segments of the LAN), the traffic destined for
any machine on a segment is broadcast to every machine on that segment.
This means that a computer actually sees the data traveling to and from
each of its neighbors, but ignores it, unless otherwise instructed.
Further, if any of the Ethernet NIC cards are in promiscuous mode, the sniffer program will pick up all communication packets floating by anywhere near the internet host site.
A sniffer placed on any backbone device, inter-network link or network aggregation point will therefore be able to monitor a whole lot of traffic. Most of packet sniffers are passive and they listen all data link layer frames passing by the device's network interface. There are dozens of freely available packet sniffer programs on the internet. The more sophisticated ones allow more active intrusion.
The key to detecting packet sniffing is to detect network interfaces that are running in promiscuous mode. Sniffing can be detected two ways:
- Host-based : Software commands exist that can be run on individual host machines to tell if the NIC is running in promiscuous mode.
- Network-based : Solutions tend to check for the presence of running processes and log files, which sniffer programs consume a lot of. However, sophisticated intruders almost always hide their tracks by disguising the process and cleaning up the log files.
What Sniffer Attack?
How Does a Sniffer Work?
sniffer attack example