Packet Sniffing Basics

Imagine this: you're sitting in your local coffee shop sucking down your morning caffeine fix before heading into the office. You catch up on your work e-mail, you check Facebook and you upload that financial report to your company's FTP server. Overall, it's been a constructive morning. By the time you get to work, there's a whirlwind of chaos throughout the office. That incredibly sensitive financial report you uploaded was somehow leaked to the public, and your boss is outraged by the crass and unprofessional e-mail you just sent him. Was there some hacker lurking in the shadows that broke into your company's network and decided to lay the blame on you? More than likely not. This mischievous ne'er-do-well probably was sitting in the coffee shop you stopped at and seized the opportunity.

Without some form of countermeasures, your data isn't safe on public networks. This example is a worst-case scenario on the far end of the spectrum, but it isn't so far-fetched. There are people out there who are capable of stealing your data. The best defense is to know what you can lose, how it can get lost and how to defend against it.

What Is Packet Sniffing?

Packet sniffing, or packet analysis, is the process of capturing any data passed over the local network and looking for any information that may be useful. Most of the time, we system administrators use packet sniffing to troubleshoot network problems (like finding out why traffic is so slow in one part of the network) or to detect intrusions or compromised workstations (like a workstation that is connected to a remote machine on port 6667 continuously when you don't use IRC clients), and that is what this type of analysis originally was designed for. But, that didn't stop people from finding more creative ways to use these tools. The focus quickly moved away from its original intent—so much so that packet sniffers are considered security tools instead of network tools now.

Figure 1. A Capture of a Packet of Someone Trying to Log In to a Web Site

Finding out what someone on your network is doing on the Internet is not some arcane and mystifying talent anymore. Tools like Wireshark, Ettercap or NetworkMiner give anybody the ability to sniff network traffic with a little practice or training. These tools have become increasingly easy to use and continue to make things easier to comprehend, which makes them more usable by a broader user base.

Figure 2. Tools like NetworkMiner can reconstruct images that have been broadcast on the network.

How Does It Work?

Now, you know that these tools are out there, but how exactly do they work? First, packet sniffing is a passive technique. No one actually is attacking your computer and delving through all those files that you don't want anyone to access. It's a lot like eavesdropping. My computer is just listening in on the conversation that your computer is having with the gateway.

Typically, when people think of network traffic, they think that it goes directly from their computers to the router or switch and up to the gateway and then out to the Internet, where it routes similarly until it gets to the specified destination. This is mostly true except for one fundamental detail. Your computer isn't directly sending the data anywhere. It broadcasts the data in packets that have the destination in the header. Every node on your network (or switch) receives the packet, determines whether it is the intended recipient and then either accepts the packet or ignores it.

For example, let's say you're loading the Web page http://example.com on your computer "PC". Your computer sends the request by basically shouting "Hey! Somebody get me http://example.com!", which most nodes simply will ignore. Your switch will pass it on to where it eventually will be received by example.com, which will pass back its index page to the router, which then shouts "Hey! I have http://example.com for PC!", which again will be ignored by everyone except you. If others were on your switch with a packet sniffer, they'd receive all that traffic and be able to look at it.

Picture it like having a conversation in a bar. You can have a conversation with someone about anything, but other people are around who potentially can eavesdrop on that conversation, and although you thought the conversation was private, eavesdroppers can make use of that information in any way they see fit.

What Kind of Information Can Be Gathered?

Most of the Internet runs in plain text, which means that most of the information you look at is viewable by someone with a packet sniffer. This information ranges from the benign to the sensitive. You should take note that all of this data is vulnerable only through an unencrypted connection, so if the site you are using has some form of encryption like SSL, your data is less vulnerable.

The most devastating data, and the stuff most people are concerned with, is user credentials. Your user name and password for any given site are passed in the clear for anyone to gather. This can be especially crippling if you use the same password for all your accounts on-line. It doesn't matter how secure your bank Web site is if you use the same password for that account and for your Twitter account. Further, if you type your credit-card information into an unsecure Web page, it is just as vulnerable, although there aren't many (if any) sites that continue this practice for that exact reason.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I think that this can be

Lizzie's picture

I think that this can be really useful for many people and they will certainly know how to take advantage of this.
RCA Ieftin

hubs != switches and switches > hubs

mfarfanq's picture

hubs will broadcast all the packets to all the computers. Switches are a bit smarter and will try send each packet to the respective computer. However, someone from inside the network can try to ARP poison the switch and hope that the switch will fail-open; that turns the switch into a hub.

correct me if im wrong.

thanks.

very good for thanks

Kozmetik's picture

Ah, crap. My bad. Thanks for the clarification. +1

It is possible to use ARP

Anonymous's picture

It is possible to use ARP redirection to sniff traffic on Layer 2 and 3 switches.

It is possible to use ARP

Anonymous's picture

It is possible to use ARP redirection as a man in the middle attack. That's a more effective way to sniff as you aren't simply grabbing the traffic from the air, but the host is purposefully sending you their traffic. That will allow the sniffer to received all encrypted data as well as plain text.

As others have mentioned, the

Anonymous's picture

As others have mentioned, the author doesn't have enough fundamental knowledge of how switch and router work. Being a somewhat security-related article, information should be as accurate as possible. It is advised to make the correction ASAP for the sake of other readers, as such misleading information would even hurt the reputation of linuxjournal.com

Hello, Things don't work

danpan's picture

Hello,
Things don't work exactly as described here. For example, in a switched network you will receive only the broadcast and multicast traffic. Not all packets. The ARP is a broadcast, but after the ARP table is formed, on the PC, the computer communicates with the gateway through MAC address and the switch does not broadcast the packets.

You can capture all packets in wireless networks, where the information is sent through the air to the AP or in a network with a hub. All PC connected to the hub can "see" each others packets.

Someone should correct the information!
PS: Sorry for my bad english.

De nada

mwallette's picture

;)

Ah, crap. My bad. Thanks for

jdw's picture

Ah, crap. My bad. Thanks for the clarification.

https

x33a's picture

I would also suggest the use of https everywhere. It's a firefox addon from the eff folks, which basically enforces https on sites which support it. Though it's no use for most sites as they don't support https, but as the use of https is increasing these days, this addon makes it more convenient to switch to the https versions of the websites.

https://www.eff.org/https-everywhere

Nice! Any chance there's a

jdw's picture

Nice! Any chance there's a Google Chrome extension in the works?

Re:

x33a's picture

Read the FAQ for all the clarifications:

https://www.eff.org/https-everywhere/faq

I'm not keen on the sentence

jdw's picture

I'm not keen on the sentence that reads "For instance, Google allows you to turn SSL on all the time within Gmail, thus encrypting all your e-mail traffic."

This sentence is written in such a way that makes it sound like email is encrypted when sent through GMail. This is, of course, incorrect. Only the HTTPS session between your browser and the GMail web server is encrypted. GMail will still send your email across the Interwebs unencrypted.

It's amazing to me how often I run across this misconception. I've even had irate clients send me a screen cap of their GMail inbox with the HTTPS in the address bar circled to "prove" that their email is being sent encrypted. Very disturbing how uninformed people are about the lack of privacy in email.

Not sure I agree with you

Anonymous's picture

Not sure I agree with you that SSH traffic is encrypted in only one direction!!

He didn't say that. He said

jdw's picture

He didn't say that. He said that once your traffic reaches the end of the SSH tunnel, it will continue unencrypted from there.

A second look confirms your

Anonymous's picture

A second look confirms your statement. However the use of a statement like "..onward transmission of your COULD be in unencrypted form..." would in my opinion be better.

Agreed. The reader would have

jdw's picture

Agreed. The reader would have to have a pretty decent understanding of what an SSH tunnel is to read that part as it was intended.

Comment!

maxfields217's picture

Absolutely the problem isn't in HTTPS it's all in WiFi, It's better to check that again and then come up with something creative to fix the problem!

Max @Ökostromanbieter

really?

Anonymous's picture

Did you just messed up how a switch works? confused about the difference between oldtime hub and modern switch?

the problem really is WiFi and not using HTTPS on all Inet-endpoints!

Switches connect networks.

jdw's picture

Switches connect networks. They can "switch" traffic from one network to another. Hubs can only operate on the network they are on.

Uh...no

mwallette's picture

While there is such a thing as a layer-3 switch (a switch with routing capability), in general switches do *not* connect networks. *Routers* connect networks. The difference between a switch and a hub is that a hub rebroadcasts traffic it receives on one port to every port, every time. A switch will broadcast the traffic when it doesn't have a the destination MAC address in its lookup table, but will transmit traffic only through the port that the recipient is connected to (or to the router, if the destination is on a different network) when the recipient's MAC address does exist in the lookup table.

This makes switched network considerably more secure than a network connected through a hub because Joe User can't just sniff everybody else's network traffic on a switched network. This is why, IMHO, this article is just a little bit alarmist. However, the danger is very real if you are connecting to an open WiFi network at the local coffee shop.

yes! which makes wired

Anonymous's picture

yes! which makes wired connection inherently secure and sniffing is not as breeeze as the article suggests. Because, we all use switches havent seen a hub for more than 10 years now :)
so the weak point nowadays is wifi, no matter what you do your packet might be compromised!

considering this I often choose performance over security and configure home wifi as open with MAC filtering on.
makes routers faster and still i have 'some' control over who is on the hotspot. in case you are that techy to sniff the packets around and found the list of probable MAC address, you are WELCOME aboard :P

Ah, crap. My bad. Thanks for

jdw's picture

Ah, crap. My bad. Thanks for the clarification.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix