Packet Sniffing

Definition: Packet sniffing is the act of capturing packets of data flowing across a computer network. The software or device used to do this is called a packet sniffer. Packet sniffing is to computer networks what wire tapping is to a telephone network.
Packet sniffing has legitimate uses to monitor network performance or troubleshoot problems with network communications. However, it is also widely used by hackers and crackers to gather information illegally about networks they intend to break into. Using a packet sniffer it is possible to capture data like passwords, IP addresses, protocols being used on the network and other information that will help the attacker infiltrate the network.

All network data travels across the Internet, and then into and out of PC's, in the form of individual, variable size data packets. Since the typical PC user never "sees" any of this raw data, many spyware systems covertly send sensitive information out of the user's computer without their knowledge.

A "Packet Sniffer" is a utility that sniffs without modifying the network's packets in any way. By comparison, a firewall sees all of a computer's packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. Packet sniffers merely watch, display, and log this traffic.

One disturbingly powerful aspect of packet sniffers is their ability to place the hosting machine's network adapter into "promiscuous mode." Network adapters running in promiscuous mode receive not only the data directed to the machine hosting the sniffing software, but also all of the traffic on the physically connected local network. Unfortunately, this capability allows packet sniffers to be used as potent spying tools, this is obviously not an activity that is on the good side.
Today's networks are increasingly employing "switch" technology, preventing this technique from being as successful as in the past. It is still useful, though, as it is becoming increasingly easy to install remote sniffing programs on servers and routers, through which a lot of traffic flows.

Today's networks may already contain built-in sniffing modules. Most hubs support the RMON standard, which allow the intruder to sniff remotely using SNMP, which has weak authentication. Many corporations employ Network Associates "Distributed Sniffer Servers", which are set up with easy to guess passwords. Windows NT machines often have a "Network Monitoring Agent" installed, which again allows for remote sniffing.

Packets sniffing is difficult to detect, but it can be done. But the difficulty of the solution means that in practice, it is rarely done.

The popularity of packet sniffing stems from the fact that it sees everything. Typical items sniffed include:

SMTP, POP, IMAP traffic
Allows intruder to read the actual e-mail.
POP, IMAP, HTTP Basic, Telnet authentication
Reads passwords off the wire in clear-text.
SMB, NFS, FTP traffic
Reads files of the wire.
SQL databse
Reads financial transactions and credit card numbers.

Not only can sniffing read information that helps break into a system, it is an intrusion by itself because it reads the very files the intruder is interested in.

This technique can be combined with active transimission for even more effective attacks.

IP spoofing
When the sniffing program is on a segment between two communicating end points, the intruder can ??impersonate one end in order to hijack the connection. This is often combined with a denial of ??service (DoS) attack against the forged address so they don't interfere anymore.
raw transmit
Allows abonormal traffic to be generated, such as TCP SYN floods, overlapped fragments, illegal ??fragments, and TCP fingerprinting. The best attack is severe fragmentation, which fragments the TCP ??header in order to prevent firewalls from filtering by port number.

Packet sniffing tools are usually written by hackers. There are many extensions for pulling desired data off the network. The most popular are password sniffing programs.

Related Packet Sniffing Software: