Roughly one year ago, a tool called Firesheep introduced a lot of us to just how easily another person on the same network as you can snoop on your browsing session and even masquerade as you on sites that require a login, like, perhaps most notably, Facebook. Here's a closer look at how network snooping works and how to protect yourself from it.


It's a long post, so I've separated it into two sections. Jump to the one you're most interested in:

How to Get Started As a Network Snoop

Long before Firesheep came along and scared us all by making it trivial to hijack another user's Facebook session, another, more robust cross-platform tool called Wireshark was already allowing anyone with a little bit of know-how sniff out usernames, passwords, and authentication cookies on any computer connected to the same network as you.


A Brief Overview of How Your Computer Talks to the Other Computers (and the Internet)

In order to understand what Wireshark does, you first need to understand a little bit about how computers talk to one another over networks and how they use this information to, say, log you into a web site. (I'm not a networking expert by any stretch, so don't worry—I don't have a choice but to make this beginner friendly.)

G/O Media may get a commission Subscribe and Get Your First Bag Free Promo Code AtlasCoffeeDay20

When your computer talks to another over a network, they each send packets of data back and forth between one another. These packets do things like negotiate the connection, pass around cookies or passwords to authenticate, and ultimately do the things you want them to do—transfer files, the HTML that makes up a web page, and so on.

What Wireshark Does

What Wireshark does is sniff out the packets being passed around your network—whether they're heading to or from your computer or to or from other computers on the same network as you—and let you poke around at the data passed back and forth in these packets.


When you log into a web site, for example, your browser sends what's called a POST request to a server somewhere on there on the internet. Wireshark can capture that POST request, and if you know where to look, you can find your username and password in plain text—assuming you're logging into a site that isn't using a secured HTTPS connection, which will encrypt that information so you wouldn't be able to make sense of it. (See our previous guide to why you should care about HTTPS on Facebook and other sites for more details.)


To combat this, a lot of sites, like Facebook and Gmail, have turned on HTTPS by default for all communication between your browser and their servers. But there are still a whole lot of web sites out there that don't encrypt logins, and many that use HTTPS for logins but not for cookies.

Cookies are relatively small strings of text set on your browser by web sites. Cookies can be used to track your behavior, they can be used to keep your settings persistent on a web site, and, most importantly for this post, they can identify to servers that you've already logged in—meaning that if you hijack the right cookie, you can masquerade as someone else without ever needing their username or password. (This is what Firesheep did.)


Similar to how it can capture usernames and passwords sent over HTTP connections, Wireshark can also capture cookies for you (or some other nefarious sniffer) to gobble up toward whatever end you prefer, including to gain access to your online accounts. Also similar to the username/password situation, if a site uses HTTPS for all its connections, you won't be able to successfully sniff out and use its cookie.

So now that you know the basics, let's jump right into it:

How to Sniff Usernames and Passwords with Wireshark



In the video at the top of the post, you can see me demonstrate how to sniff out a username and password when I attempt to log into Lifehacker (which, unfortunately, doesn't use HTTPS). Here, I've rounded up a few other more detailed videos that demonstrate how to use Wireshark to sniff out usernames and passwords (you'll probably want to go fullscreen on the video).


Note: If you're capturing over Wi-Fi, you'll need to run Wireshark in promiscuous mode so that it'll sniff out all the various packets on your network (including those coming from other people's computers). This process varies depending on your device, so you may have to do a little hunting.

How to Sniff Cookies with Wireshark



This video demonstrates how to sniff out cookies, and while the site it demonstrates the process for (Facebook) now uses HTTPS by default, the same basic method would work for sites that aren't using HTTPS.


How to Protect Yourself from Network Sniffing

The kind of network sniffing demonstrated here is something anyone can do without much experience. As Mike from the password video points out: "Technology is like a gun. You can use it for good, to hunt for your family, or you can use it for bad, to rob a store." This dissection of Wireshark is aimed at education, but the fact is, anyone interested in using Wireshark for skeezy purposes need only spend a few minutes on YouTube to dig up the same information.


So now that you have a better idea of how easy it can be for anyone on the same network as you to poke around and potentially sniff out your passwords, cookies, and so on, what can you do about it? Here's a quick rundown of some of your best bets, from least practical or effective to most effective.


You've still got other security concerns to consider if you want to stay safe on public Wi-Fi networks, but the above options can make all the difference for securing your browsing. The best-case scenario is actually out of your control: Web sites and services all implement HTTPS by default for any and all potentially sensitive data. Photo remixed from Anton Prado/Shutterstock.


Lifehacker's Evil Week is all about topics such as password cracking, social hacking and other questionable tricks to make sure you're in the know. Knowledge is power, and whether you use that power for good or evil is in your hands.

You can contact Adam Pash, the author of this post, on Twitter, Google+, and Facebook.