Loading
Packet Sniffing Basics
Imagine this: you're sitting in your local coffee shop sucking down your morning caffeine fix before heading into the office. You catch up on your work e-mail, you check Facebook and you upload that financial report to your company's FTP server. Overall, it's been a constructive morning. By the time you get to work, there's a whirlwind of chaos throughout the office. That incredibly sensitive financial report you uploaded was somehow leaked to the public, and your boss is outraged by the crass and unprofessional e-mail you just sent him. Was there some hacker lurking in the shadows that broke into your company's network and decided to lay the blame on you? More than likely not. This mischievous ne'er-do-well probably was sitting in the coffee shop you stopped at and seized the opportunity.
Without some form of countermeasures, your data isn't safe on public networks. This example is a worst-case scenario on the far end of the spectrum, but it isn't so far-fetched. There are people out there who are capable of stealing your data. The best defense is to know what you can lose, how it can get lost and how to defend against it.
What Is Packet Sniffing?
Packet sniffing, or packet analysis, is the process of capturing any data passed over the local network and looking for any information that may be useful. Most of the time, we system administrators use packet sniffing to troubleshoot network problems (like finding out why traffic is so slow in one part of the network) or to detect intrusions or compromised workstations (like a workstation that is connected to a remote machine on port 6667 continuously when you don't use IRC clients), and that is what this type of analysis originally was designed for. But, that didn't stop people from finding more creative ways to use these tools. The focus quickly moved away from its original intent—so much so that packet sniffers are considered security tools instead of network tools now.
Figure 1. A Capture of a Packet of Someone Trying to Log In to a Web Site
Finding out what someone on your network is doing on the Internet is not some arcane and mystifying talent anymore. Tools like Wireshark, Ettercap or NetworkMiner give anybody the ability to sniff network traffic with a little practice or training. These tools have become increasingly easy to use and continue to make things easier to comprehend, which makes them more usable by a broader user base.
Figure 2. Tools like NetworkMiner can reconstruct images that have been broadcast on the network.
How Does It Work?
Now, you know that these tools are out there, but how exactly do they work? First, packet sniffing is a passive technique. No one actually is attacking your computer and delving through all those files that you don't want anyone to access. It's a lot like eavesdropping. My computer is just listening in on the conversation that your computer is having with the gateway.
Typically, when people think of network traffic, they think that it goes directly from their computers to the router or switch and up to the gateway and then out to the Internet, where it routes similarly until it gets to the specified destination. This is mostly true except for one fundamental detail. Your computer isn't directly sending the data anywhere. It broadcasts the data in packets that have the destination in the header. Every node on your network (or switch) receives the packet, determines whether it is the intended recipient and then either accepts the packet or ignores it.
For example, let's say you're loading the Web page http://example.com on your computer "PC". Your computer sends the request by basically shouting "Hey! Somebody get me http://example.com!", which most nodes simply will ignore. Your switch will pass it on to where it eventually will be received by example.com, which will pass back its index page to the router, which then shouts "Hey! I have http://example.com for PC!", which again will be ignored by everyone except you. If others were on your switch with a packet sniffer, they'd receive all that traffic and be able to look at it.
Picture it like having a conversation in a bar. You can have a conversation with someone about anything, but other people are around who potentially can eavesdrop on that conversation, and although you thought the conversation was private, eavesdroppers can make use of that information in any way they see fit.
What Kind of Information Can Be Gathered?
Most of the Internet runs in plain text, which means that most of the information you look at is viewable by someone with a packet sniffer. This information ranges from the benign to the sensitive. You should take note that all of this data is vulnerable only through an unencrypted connection, so if the site you are using has some form of encryption like SSL, your data is less vulnerable.
The most devastating data, and the stuff most people are concerned with, is user credentials. Your user name and password for any given site are passed in the clear for anyone to gather. This can be especially crippling if you use the same password for all your accounts on-line. It doesn't matter how secure your bank Web site is if you use the same password for that account and for your Twitter account. Further, if you type your credit-card information into an unsecure Web page, it is just as vulnerable, although there aren't many (if any) sites that continue this practice for that exact reason.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- Nice article, thanks for the
1 hour 21 min ago - I once had a better way I
7 hours 7 min ago - Not only you I too assumed
7 hours 24 min ago - another very interesting
9 hours 17 min ago - Reply to comment | Linux Journal
11 hours 11 min ago - Reply to comment | Linux Journal
18 hours 5 min ago - Reply to comment | Linux Journal
18 hours 21 min ago - Favorite (and easily brute-forced) pw's
20 hours 12 min ago - Have you tried Boxen? It's a
1 day 2 hours ago - seo services in india
1 day 6 hours ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
I think that this can be
I think that this can be really useful for many people and they will certainly know how to take advantage of this.
RCA Ieftin
hubs != switches and switches > hubs
hubs will broadcast all the packets to all the computers. Switches are a bit smarter and will try send each packet to the respective computer. However, someone from inside the network can try to ARP poison the switch and hope that the switch will fail-open; that turns the switch into a hub.
correct me if im wrong.
thanks.
very good for thanks
Ah, crap. My bad. Thanks for the clarification. +1
It is possible to use ARP
It is possible to use ARP redirection to sniff traffic on Layer 2 and 3 switches.
It is possible to use ARP
It is possible to use ARP redirection as a man in the middle attack. That's a more effective way to sniff as you aren't simply grabbing the traffic from the air, but the host is purposefully sending you their traffic. That will allow the sniffer to received all encrypted data as well as plain text.
As others have mentioned, the
As others have mentioned, the author doesn't have enough fundamental knowledge of how switch and router work. Being a somewhat security-related article, information should be as accurate as possible. It is advised to make the correction ASAP for the sake of other readers, as such misleading information would even hurt the reputation of linuxjournal.com
Hello, Things don't work
Hello,
Things don't work exactly as described here. For example, in a switched network you will receive only the broadcast and multicast traffic. Not all packets. The ARP is a broadcast, but after the ARP table is formed, on the PC, the computer communicates with the gateway through MAC address and the switch does not broadcast the packets.
You can capture all packets in wireless networks, where the information is sent through the air to the AP or in a network with a hub. All PC connected to the hub can "see" each others packets.
Someone should correct the information!
PS: Sorry for my bad english.
De nada
;)
Ah, crap. My bad. Thanks for
Ah, crap. My bad. Thanks for the clarification.
https
I would also suggest the use of https everywhere. It's a firefox addon from the eff folks, which basically enforces https on sites which support it. Though it's no use for most sites as they don't support https, but as the use of https is increasing these days, this addon makes it more convenient to switch to the https versions of the websites.
https://www.eff.org/https-everywhere
Nice! Any chance there's a
Nice! Any chance there's a Google Chrome extension in the works?
Re:
Read the FAQ for all the clarifications:
https://www.eff.org/https-everywhere/faq
I'm not keen on the sentence
I'm not keen on the sentence that reads "For instance, Google allows you to turn SSL on all the time within Gmail, thus encrypting all your e-mail traffic."
This sentence is written in such a way that makes it sound like email is encrypted when sent through GMail. This is, of course, incorrect. Only the HTTPS session between your browser and the GMail web server is encrypted. GMail will still send your email across the Interwebs unencrypted.
It's amazing to me how often I run across this misconception. I've even had irate clients send me a screen cap of their GMail inbox with the HTTPS in the address bar circled to "prove" that their email is being sent encrypted. Very disturbing how uninformed people are about the lack of privacy in email.
Not sure I agree with you
Not sure I agree with you that SSH traffic is encrypted in only one direction!!
He didn't say that. He said
He didn't say that. He said that once your traffic reaches the end of the SSH tunnel, it will continue unencrypted from there.
A second look confirms your
A second look confirms your statement. However the use of a statement like "..onward transmission of your COULD be in unencrypted form..." would in my opinion be better.
Agreed. The reader would have
Agreed. The reader would have to have a pretty decent understanding of what an SSH tunnel is to read that part as it was intended.
Comment!
Absolutely the problem isn't in HTTPS it's all in WiFi, It's better to check that again and then come up with something creative to fix the problem!
Max @Ökostromanbieter
really?
Did you just messed up how a switch works? confused about the difference between oldtime hub and modern switch?
the problem really is WiFi and not using HTTPS on all Inet-endpoints!
Switches connect networks.
Switches connect networks. They can "switch" traffic from one network to another. Hubs can only operate on the network they are on.
Uh...no
While there is such a thing as a layer-3 switch (a switch with routing capability), in general switches do *not* connect networks. *Routers* connect networks. The difference between a switch and a hub is that a hub rebroadcasts traffic it receives on one port to every port, every time. A switch will broadcast the traffic when it doesn't have a the destination MAC address in its lookup table, but will transmit traffic only through the port that the recipient is connected to (or to the router, if the destination is on a different network) when the recipient's MAC address does exist in the lookup table.
This makes switched network considerably more secure than a network connected through a hub because Joe User can't just sniff everybody else's network traffic on a switched network. This is why, IMHO, this article is just a little bit alarmist. However, the danger is very real if you are connecting to an open WiFi network at the local coffee shop.
yes! which makes wired
yes! which makes wired connection inherently secure and sniffing is not as breeeze as the article suggests. Because, we all use switches havent seen a hub for more than 10 years now :)
so the weak point nowadays is wifi, no matter what you do your packet might be compromised!
considering this I often choose performance over security and configure home wifi as open with MAC filtering on.
makes routers faster and still i have 'some' control over who is on the hotspot. in case you are that techy to sniff the packets around and found the list of probable MAC address, you are WELCOME aboard :P
Ah, crap. My bad. Thanks for
Ah, crap. My bad. Thanks for the clarification.