What is Traffic / Packet Sniffing?
Network traffic or Packet Sniffing is the interception and logging of network traffic as it passes over a computer network. If we look at the TCP/IP stack in the network, it is all made up of packets that are sent millions of times per second between different computers, routers, switches, etc. In packet sniffing we actually intercept the packets that travel around the network. A traffic / packet sniffer is a piece of software or hardware that sniffs network traffic by intercepting and logging network packets as they pass through the network.
How do we go about Sniffing Network Traffic?
To be a good packet sniffer, one must know some network basics. Let’s have a look at some principles that are quite pertinent to network or packet sniffing –
- ARP – Address Resolution Protocol. It translates the MAC address to an IP address. We use OP poisoning or OP spoofing to mimic the MAC addresses of other devices so that the traffic can be received in between.
- Hubs, Switches, Routers – In a hub everyone can see other’s traffic. A switch switches the packets so that only source and destination gets to communicate with each other. router is just a layer 3 enunciation of the OSI model which then route packets between different networks.
- Promiscuous mode – It is actually a setting which needs to be enabled on the network cord. If we put network in this mode, it will see all traffic that it is capable of seeing on the network.
- Man in the middle attack –
Figure 1. Men in the middle
When one victim is trying to send data to another victim, we put ourselves in the middle as shown in the figure.
What are we trying to achieve?
The following points explain what we are trying to achieve with network and packet sniffing –
- Enumeration – It is a part of enumeration as it helps to identify devices on the network and look at all the information that is flowing about the network.
- Identify Vulnerabilities – Through packet sniffing one can see the vulnerabilities in the network.
- User Credentials – One can obtain usernames and passwords through sniffing.
What tools do we use?
The tools include –
What are the countermeasures?
In order to protect our traffic we can take the following countermeasures –
- Encryption – Encrypted network traffic is very difficult to understand.
- Lock Ports Down – We must make sure that the network administrator locks all ports that are being used by people who actually work for the organisation.
- Static MAC Address – Gateways – It makes the attack very difficult to check.
- Tunnelling (VPN)
- SSH not Telnet – Because SSH is encrypted
- HTTPS not HTTP
Ethical Hacking Tutorial – Sniffing Traffic Theory Video: