02-07-2012, 02:36 PM
Seminar on Sniffer
[attachment=26434]
INTRODUCTION
A Sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technology wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer!
HOW A SNIFFER WORKS?
A computer connected to the LAN has 2 addresses. One is the MAC (Media Access Control) address that uniquely identifies each node in a network and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building `frames' to transfer data to and from a machine.
SWITCHED ETHERNET:
An Ethernet environment in which the hosts are connected to switch instead of a hub is called a Switched Ethernet. The switch maintains tables keeping track of each computer’s MAC address and the physical port on the switch to which that MAC address is connected and delivers packets destined for a particular machine correspondingly. The switch is an intelligent device which sends packets to the destined computer only and does not broadcast it to all the machines on the network, as in the previous case.
IP-based sniffing
This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn’t set so it can capture all the packets. This method only works in non-switched networks.
What Does Sniffed Data Look Like?
It is easy to grasp the concepts discussed above by watching a sniffer in action. The information in the following example was derived using tcpdump, a program that has been around for quite sometime and is available for many platforms. This particular snippet is an abbreviated exchange between a machine and the Security Focus Web server.
[attachment=26434]
INTRODUCTION
A Sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technology wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer!
HOW A SNIFFER WORKS?
A computer connected to the LAN has 2 addresses. One is the MAC (Media Access Control) address that uniquely identifies each node in a network and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building `frames' to transfer data to and from a machine.
SWITCHED ETHERNET:
An Ethernet environment in which the hosts are connected to switch instead of a hub is called a Switched Ethernet. The switch maintains tables keeping track of each computer’s MAC address and the physical port on the switch to which that MAC address is connected and delivers packets destined for a particular machine correspondingly. The switch is an intelligent device which sends packets to the destined computer only and does not broadcast it to all the machines on the network, as in the previous case.
IP-based sniffing
This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn’t set so it can capture all the packets. This method only works in non-switched networks.
What Does Sniffed Data Look Like?
It is easy to grasp the concepts discussed above by watching a sniffer in action. The information in the following example was derived using tcpdump, a program that has been around for quite sometime and is available for many platforms. This particular snippet is an abbreviated exchange between a machine and the Security Focus Web server.