Packet Sniffing Basics

There is a technique in the security world called session hijacking where an attacker uses a packet sniffer to gain access to a victim's session on a particular Web site by stealing the victim's session cookie for that site. For instance, say I was sniffing traffic on the network, and you logged in to Facebook and left the Remember Me On This Computer check box checked. That signals Facebook to send you a session cookie that your browser stores. I potentially could collect that cookie through packet sniffing, add it to my browser and then have access to your Facebook account. This is such a trivial task that it can be scripted easily (someone even has made a Firefox extension that will do it automatically), and there still aren't many Web sites that encrypt their traffic to the end user, making it a significant problem when using the public Internet.

Figure 3. A Firefox Extension Designed to Gather Unencrypted Session Cookies from the Network

Packet sniffers exist that are specifically designed for monitoring what you are up to on the Internet. They will rebuild the exact Web page you are looking at, photos you're browsing, videos you're watching, and even files you're downloading. These applications are tailored to look through a string of packet captures to find various packet streams and reassemble them on the fly. My roommate in college whipped up something that would display the contents of my browser in real time on his computer (a scary revelation indeed).

E-mail is another one of those things that people tend to get up in arms about because there's an assumption of privacy in e-mail that is derived from the regular mail system. Your e-mail is sent out and viewable, just like anything else that emanates from your computer of the network. E-mail sniffing is what made the FBI's Carnivore program so infamous.


Carnivore was a system implemented by the Federal Bureau of Investigation that was designed to monitor e-mail and electronic communications. It used a customizable packet sniffer that can monitor all of a target user's Internet traffic.

Since every packet bears a destination address in its header, it's possible that someone could sniff the network just to gather a browsing history of everyone on that segment. This may not be very insidious, but it's gathered data, and there's always someone willing to pay for all sorts of data.


I'm sure you're currently seconds from taking a pair of scissors to your network cable and swearing off the Internet for life, but fear not! There are less-drastic measures you can take to prevent such sensitive data loss. None of these precautions is the magic cure for eavesdroppers, but using even one of them will make you a less-desirable target. There's an old joke that says that when you're being chased by a bear, you don't need to outrun the bear, just the guy in front of you. You don't have to have the most secure computer on the block, just more secure than somebody else's. As with most network security, if people really want your data, they can get at it. However, most of the time, attackers aren't targeting a specific person, they're looking for targets of opportunity, so the more secure you are, the less likely you are to be such a target.

The first defense against eavesdropping is the Secure Socket Layer (SSL) used by most Web pages that handle sensitive information. This forces all the content shared back and forth between you and the site to be encrypted. Some sites use SSL for their login pages only. Most sites don't even use SSL at all. It's easy to tell—the URL in the address bar will start with https instead of http. Some sites offer you some choice in the matter. For instance, Google allows you to turn SSL on all the time within Gmail, thus encrypting all your e-mail traffic.

Modern network switches are designed to pass data intelligently to avoid packet collisions and excessive network traffic. If a packet is broadcast that is not intended for one of the nodes attached to it, the router will not rebroadcast to the local nodes. Likewise, if a packet is broadcast locally that is intended for another local node, the switch will not rebroadcast to the outside network. This forces strict segmentation on a network. For us, this means that someone using a packet sniffer on a switched network will not see any traffic from hosts not attached to the same switch. This doesn't mean much on small-scale networks, like you have at your house, but on a larger scale, it means that somebody can't sit in the breakroom sniffing traffic three floors up from the accounting department.

Wireless network encryption has come a long way in its short lifespan—going from no encryption to Wired Equivalent Privacy (WEP) encryption to Wi-Fi Protected Access (WPA) encryption. Wireless networks don't provide the same segmentation that the previously mentioned switches provide, meaning that any packet transmitted on a wireless access point gets rebroadcast to everyone else on the access point. Even though your traffic is encrypted under WEP, this encryption protects only the data from users not connected to that wireless network. The encryption scheme and key are identical for all users, so all your "encrypted" data is decryptable by anyone on the network, making your data essentially unencrypted. WPA solves this issue by isolating all users on the network and giving them a different encryption scheme even when the key is the same.

If you have SSH access to a computer outside your current network (which I'm sure most of us do), you can tunnel all your traffic through an SSH connection. You essentially are using the encryption of the SSH connection to protect all your data from eavesdroppers. There are two apparent downsides to this technique. First, you're connection speed will drop, because now instead of going from you to the destination and back, your traffic will go from you to the SSH server to the destination and back. Second, your data is transmitted unencrypted from the remote end, so if that machine is vulnerable to packet sniffing, your data is no safer than it was at your local machine.

Virtual private networks are intended to allow users access to a network that otherwise would be inaccessible. However, they also can be used to protect your traffic, because VPN connections are encrypted. You can set up a private VPN for yourself just for this purpose, but it will have the same disadvantages as SSH tunneling. If you work for a company that has a VPN, you may be allowed to use it for this purpose, but your traffic will fall under the same policy and rules that you have in your office, so be careful what you use it for.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I think that this can be

Lizzie's picture

I think that this can be really useful for many people and they will certainly know how to take advantage of this.
RCA Ieftin

hubs != switches and switches > hubs

mfarfanq's picture

hubs will broadcast all the packets to all the computers. Switches are a bit smarter and will try send each packet to the respective computer. However, someone from inside the network can try to ARP poison the switch and hope that the switch will fail-open; that turns the switch into a hub.

correct me if im wrong.


very good for thanks

Kozmetik's picture

Ah, crap. My bad. Thanks for the clarification. +1

It is possible to use ARP

Anonymous's picture

It is possible to use ARP redirection to sniff traffic on Layer 2 and 3 switches.

It is possible to use ARP

Anonymous's picture

It is possible to use ARP redirection as a man in the middle attack. That's a more effective way to sniff as you aren't simply grabbing the traffic from the air, but the host is purposefully sending you their traffic. That will allow the sniffer to received all encrypted data as well as plain text.

As others have mentioned, the

Anonymous's picture

As others have mentioned, the author doesn't have enough fundamental knowledge of how switch and router work. Being a somewhat security-related article, information should be as accurate as possible. It is advised to make the correction ASAP for the sake of other readers, as such misleading information would even hurt the reputation of

Hello, Things don't work

danpan's picture

Things don't work exactly as described here. For example, in a switched network you will receive only the broadcast and multicast traffic. Not all packets. The ARP is a broadcast, but after the ARP table is formed, on the PC, the computer communicates with the gateway through MAC address and the switch does not broadcast the packets.

You can capture all packets in wireless networks, where the information is sent through the air to the AP or in a network with a hub. All PC connected to the hub can "see" each others packets.

Someone should correct the information!
PS: Sorry for my bad english.

De nada

mwallette's picture


Ah, crap. My bad. Thanks for

jdw's picture

Ah, crap. My bad. Thanks for the clarification.


x33a's picture

I would also suggest the use of https everywhere. It's a firefox addon from the eff folks, which basically enforces https on sites which support it. Though it's no use for most sites as they don't support https, but as the use of https is increasing these days, this addon makes it more convenient to switch to the https versions of the websites.

Nice! Any chance there's a

jdw's picture

Nice! Any chance there's a Google Chrome extension in the works?


x33a's picture

Read the FAQ for all the clarifications:

I'm not keen on the sentence

jdw's picture

I'm not keen on the sentence that reads "For instance, Google allows you to turn SSL on all the time within Gmail, thus encrypting all your e-mail traffic."

This sentence is written in such a way that makes it sound like email is encrypted when sent through GMail. This is, of course, incorrect. Only the HTTPS session between your browser and the GMail web server is encrypted. GMail will still send your email across the Interwebs unencrypted.

It's amazing to me how often I run across this misconception. I've even had irate clients send me a screen cap of their GMail inbox with the HTTPS in the address bar circled to "prove" that their email is being sent encrypted. Very disturbing how uninformed people are about the lack of privacy in email.

Not sure I agree with you

Anonymous's picture

Not sure I agree with you that SSH traffic is encrypted in only one direction!!

He didn't say that. He said

jdw's picture

He didn't say that. He said that once your traffic reaches the end of the SSH tunnel, it will continue unencrypted from there.

A second look confirms your

Anonymous's picture

A second look confirms your statement. However the use of a statement like "..onward transmission of your COULD be in unencrypted form..." would in my opinion be better.

Agreed. The reader would have

jdw's picture

Agreed. The reader would have to have a pretty decent understanding of what an SSH tunnel is to read that part as it was intended.


maxfields217's picture

Absolutely the problem isn't in HTTPS it's all in WiFi, It's better to check that again and then come up with something creative to fix the problem!

Max @Ökostromanbieter


Anonymous's picture

Did you just messed up how a switch works? confused about the difference between oldtime hub and modern switch?

the problem really is WiFi and not using HTTPS on all Inet-endpoints!

Switches connect networks.

jdw's picture

Switches connect networks. They can "switch" traffic from one network to another. Hubs can only operate on the network they are on.

mwallette's picture

While there is such a thing as a layer-3 switch (a switch with routing capability), in general switches do *not* connect networks. *Routers* connect networks. The difference between a switch and a hub is that a hub rebroadcasts traffic it receives on one port to every port, every time. A switch will broadcast the traffic when it doesn't have a the destination MAC address in its lookup table, but will transmit traffic only through the port that the recipient is connected to (or to the router, if the destination is on a different network) when the recipient's MAC address does exist in the lookup table.

This makes switched network considerably more secure than a network connected through a hub because Joe User can't just sniff everybody else's network traffic on a switched network. This is why, IMHO, this article is just a little bit alarmist. However, the danger is very real if you are connecting to an open WiFi network at the local coffee shop.

yes! which makes wired

Anonymous's picture

yes! which makes wired connection inherently secure and sniffing is not as breeeze as the article suggests. Because, we all use switches havent seen a hub for more than 10 years now :)
so the weak point nowadays is wifi, no matter what you do your packet might be compromised!

considering this I often choose performance over security and configure home wifi as open with MAC filtering on.
makes routers faster and still i have 'some' control over who is on the hotspot. in case you are that techy to sniff the packets around and found the list of probable MAC address, you are WELCOME aboard :P

Ah, crap. My bad. Thanks for

jdw's picture

Ah, crap. My bad. Thanks for the clarification.