What is a Network Sniffer Used For?
Sniffer is another word for network analyzer. A network analyzer decodes
the data packets of common protocols and displays the network traffic in a readable format.
When used by malicious individuals, sniffers can represent a significant threat to the
security of a network. Network intruders use sniffing to capture confidential information,
and the terms sniffing and eavesdropping are often associated with this practice.
Using a sniffer in an illegitimate way is considered a passive attack, because it does
not directly interface or connect to any other systems on the network. A sniffer can
also be installed as part of the compromise of a computer on a network using an active
attack. The passive nature of sniffers is what makes detecting them difficult.
Intruders use sniffers on networks for:
o Capturing cleartext usernames and passwords
o Discovering the usage patterns of users on a network
o Compromising proprietary information
o Capturing and replaying Voice over IP (VoIP) telephone conversations
o Mapping the layout of a network
o Passive OS fingerprinting
The above are all illegal uses of a sniffer unless you are a penetration tester whose job
is to find and report these types of weaknesses.
For sniffing to occur, an intruder must first gain access to the communication cable of
the systems of interest, which means being on the same shared network segment or
tapping into the cable somewhere between the communications path. If the intruder is
not physically present at the target system or communications access point, there are
still ways to sniff networking traffic including:
o Breaking into a target computer and installing remotely controlled sniffing software.
o Breaking into a communications access point (e.g. Internet Service Provider) and installing sniffing software.
o Locating a system at the Internet Service Provider that has sniffing software installed.
o Using social engineering to gain physical access to an Internet Service Provider in order to install a packet sniffer.
o Having an inside accomplice at the target computer organization or the Internet Service Provider install the sniffer.
o Redirecting or copying communications to take a path that includes the intruder's computer.
Sniffing programs are included with most rootkits that are typically installed on
compromised systems. Rootkits are used to cover the tracks of an intruder by replacing
commands and utilities and clearing log entries. Intruders also install other programs such
as sniffers, key loggers, and backdoor access software.
Intruders often use sniffing programs that are configured to detect specific things
(e.g. passwords), and then electronically send them to the intruder (or store them for
later retrieval by the intruder).
Intruders may also use sniffer programs to control back doors. One method is to
install a sniffer on a target system that listens for specific information and then sends the
backdoor control information to a neighboring system. This type of backdoor control is
hard to detect because of the passive nature of sniffers.
Click here for more information.
Wireshark and Ethereal Network Protocol Analyzer Toolkit provides complete information and
step-by-step instructions for using the open source Ethereal network analyzer software.
Readers will then learn to install Ethereal in multiple environments including Windows,
Unix and Mac OS X as well as building Ethereal from source and will also be guided through
Ethereal's graphical user interface.