Home‎ > ‎Ethics‎ > ‎

Sniffer

A sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. They are available for several platforms in both commercial and open-source variations. Some of simplest packages are actually quite easy to implement in C or Perl, use a command line interface and dump captured data to the screen. More complex projects use a GUI, graph traffic statistics, track multiple sessions and offer several configuration options. Sniffers are also the engines for other programs. Intrusion Detection Software (IDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. Law enforcement agencies that need to monitor email during investigations, likely employ a sniffer designed to capture very specific traffic. 

Sniffers are often used by hackers to grab and monitor information on computers.  Sniffers can show all the data being transmitted over a network, including passwords and sensitive information.

We can now begin to understand the magic behind a sniffer. The sniffer program tells a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, a status that requires administrative or root privileges, a machine can see all the data transmitted on its segment. The program then begins a constant read of all information entering the PC via the network card. - Found in: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon Fyodor Lyon

There are some things that can be done to help prevent this from happening.  You could possibly monitor your computer through firewalls, filtering content, and through encryption of data.

What does a typical sniffer look like?

This particular snippet is an abbreviated exchange between a machine and the SecurityFocus Web server. 

21:06:30.786814 0:1:3:e5:46:6b 0:4:5a:d1:46:ad 0800 650: 192.168.1.3.32946 >
66.38.151.10.80: P [tcp sum ok] 1:585(584) ack 336 win 64080 <nop,nop,timestamp 608776
899338> (DF) (ttl 64, id 7468, len 636)
0x0000	 4500 027c 1d2c 4000 4006 8074 c0a8 0103	E..|.,@[email protected]
0x0010	 4226 970a 80b2 0050 54ac b070 78ef d6c3	B&.....PT..px...
0x0020	 8018 fa50 c663 0000 0101 080a 0009 4a08	...P.c........J.
0x0030	 000d b90a 4745 5420 2f63 6f72 706f 7261	....GET./corpora
0x0040	 7465 2f69 6d61 6765 732f 6275 696c 642f	te/images/build/
0x0050	 626c 6c74 5f72 645f 312e 6769 6620 4854	bllt_rd_1.gif.HT
0x0060	 5450 2f31 2e31 0d0a 486f 7374 3a20 7777	TP/1.1..Host:.ww
0x0070	 772e 7365 6375 7269 7479 666f 6375 732e	w.securityfocus.
0x0080	 636f 6d0d 0a55 7365 722d 4167 656e 743a	com..User-Agent:
0x0090	 204d 6f7a 696c 6c61 2f35 2e30 2028 5831	.Mozilla/5.0.(X1
0x00a0	 313b 2055 3b20 4c69 6e75 7820 6936 3836	1;.U;.Linux.i686

21:06:30.886814 0:4:5a:d1:46:ad 0:1:3:e5:46:6b 0800 402: 66.38.151.10.80 >  
192.168.1.3.32949: P [tcp sum ok] 2363393025:2363393361(336) ack 1437810754 win 8616
<nop,nop, timestamp 899338 608766> (ttl 61, id 10825, len 388)
0x0000	 4500 0184 2a49 0000 3d06 b74f 4226 970a	E...*I..=..OB&..
0x0010	 c0a8 0103 0050 80b5 8cde 8401 55b3 4042	[email protected]
0x0020	 8018 21a8 0543 0000 0101 080a 000d b90a	..!..C..........
0x0030	 0009 49fe 4854 5450 2f31 2e31 2032 3030	..I.HTTP/1.1.200
0x0040	 204f 4b0d 0a41 6765 3a20 320d 0a41 6363	.OK..Age:.2..Acc
0x0050	 6570 742d 5261 6e67 6573 3a20 6279 7465	ept-Ranges:.byte
0x0060	 730d 0a44 6174 653a 2054 7565 2c20 3132	s..Date:.Tue,.12
0x0070	 2046 6562 2032 3030 3220 3033 3a30 343a	.Feb.2002.03:04:
0x0080	 3538 2047 4d54 0d0a 436f 6e74 656e 742d	58.GMT..Content-
0x0090	 4c65 6e67 7468 3a20 3433 0d0a 436f 6e74	Length:.43..Cont
0x00a0	 656e 742d 5479 7065 3a20 696d 6167 652f	ent-Type:.image/
0x00b0	 6769 660d 0a53 6572 7665 723a 2041 7061	gif..Server:.Apa
0x00c0	 6368 652f 312e 332e 3232 2028 556e 6978	che/1.3.22.(Unix
0x00d0	 2920 6d6f 645f 7065 726c 2f31 2e32 360d	).mod_perl/1.26.

Found in: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon Fyodor Lyon

This can be used to monitor what you are doing through your LAN. 

Wiki Link


http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213016,00.html

Comments