Technical and Product News and Insights from Rackspace
This post explores packet sniffers, which are a useful tool and a potential threat. It provides detailed information about packet sniffers, software used as packet sniffers, how sniffers work, types of sniffing, protocols vulnerable to sniffing, Wireshark® filters, threats of Address Resolution Protocol (ARP) poisoning, span port, and how to defend against packet sniffing.
A sniffer is a piece of software that captures network traffic and performs network analysis, traffic analysis, protocol analysis, sniffing, packet analysis, and so on. A packet sniffer is essentially a tool that aids in monitoring network traffic and troubleshooting a network. It works by capturing and analyzing packets of data that flow through a network. In some cases, a packet sniffer might be a dedicated hardware device.
Sniffers capture, decode, and analyze network traffic and answer questions such as the following:
A network analyzer is a combination of hardware and software tools that can detect, decode, and manipulate traffic on the network. Network administrators use network analyzers to troubleshoot networking issues, but many hackers use them to gather vital information.
The following list contains some common analyzers:
Data travels through a network in the form of packets. Packet-switched networks break down the data to transmit into several packets. They then reassemble these packets after all the data packets reach their intended destination.
When you install a packet sniffer in the network, the sniffer intercepts the network traffic and captures the raw data packets. Subsequently, the packet sniffing software analyzes the captured data packet and presents the results to the network administrators in a user-friendly format so that they can interpret the data.
Image source: https://www.eccouncil.org/
There are two types of sniffing: passive and active.
Network administrators use passive sniffing on the hub used by the network to send traffic to all the ports. It only monitors packets sent by others and does not insert any additional data packets into the network traffic.
Attackers use active sniffing to steal data from others. In a network that uses hubs to connect systems, all hosts on the network can see all the traffic, and therefore, an attacker can easily capture data packets.
Formerly known as Ethereal, Wireshark is an open-source program with many free features that provides the following functionality:
pcapngcapture file. Text2pcap can read hex dumps with multiple packets in them and build a capture file of multiple packets.
The following protocols are vulnerable to sniffing:
The following roles use network analyzers:
You can use filters to analyze captured data.
Image source: https://www.wireshark.org
Sometimes, you can observe and record traffic traveling on a network, which might contain valuable information such as the following:
– Usernames and passwords
Wireshark a is very popular network analyzer tool, which is used by network administrators to capture packets traversing through a network. Administrators mostly use it to identify network problems, but hackers also use it to decode secure information.
The following image shows a Wireshark screen:
Image source: https://www.wireshark.org
nmap –sT <target host>
ftp <target host>
The man-in-the-middle is a common attack tactic.
In a switched environment, a host receives only the following:
The host cannot see traffic between other hosts. The man-in-the-middle attack enables you to insert yourself as an (undetected) intermediary between communicating hosts.
Address Resolution Protocol (ARP) poisoning is when an attacker sends falsified ARP messages over a local area network (LAN) to link an attacker’s MAC address with an IP address of a legitimate computer or a server on the network. After the attacker’s media access control (MAC) address is linked to an authentic IP address, the attacker can receive any messages directed to the legitimate MAC address. As a result, the attacker can intercept, modify, or block communications to the legitimate MAC address.
Attackers look for the following opportunities to use ARP poisoning:
– Sensitive, unencrypted communications
Dynamic ARP inspection in Cisco® systems helps to prevent man-in-the-middle attacks by not relaying invalid or gratuitous ARP replies to other ports in the same VLAN. Dynamic ARP inspection intercepts all ARP requests and all replies on untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings via DHCP snooping. Denied ARP packets are either dropped or logged by the switch for auditing when ARP poisoning attacks are stopped. Incoming ARP packets on the trusted ports are not inspected. Dynamic ARP inspection can also rate-limit ARP requests from client ports to minimize port scanning mechanisms.
Use the following techniques and best practices to protect yourself from sniffing attacks:
ssh) instead of Telnet.
scp) instead of a file transfer protocol (
These days, many attacks happen through packet sniffing. Packet sniffers are
placed in cyber cafes and on open wifi in restaurants, hotels, and public
places. You can protect your data with a little caution. You should never use
open wifi and should stop using open text protocols like ftp, http, IMAP, Telnet,
and SNMP V1 and V2. You must install SSL certificates in your websites, use
Secure File Transfer Protocol (
sftp) instead of
ftp, and use SSH instead of
telnet. You should use SNMP V3 and opt for the strongest encryption.
Use the Feedback tab to make any comments or ask questions.
Chat now to get started.