One of the first dangers on networks is that some people can "play" content that's not intended for them. In a network in broadcast mode (WiFi or Ethernet using a hub), anyone can read the packets of all. As with Ethernet, promiscuous mode for the network card does not filter packets that do not match the MAC address of the machine.

The Risks

Here's a very short list of information that circulates on the network:

SMTP, POP, IMAP email content

POP, IMAP, HTTP Basic, Telnet passwords

HTTP: page content has restricted access

SMB, NFS, FTP: File Contents

SQL: table contents

We can access information that's needed, without having to get into the system ... We must not forget that many people use the same password everywhere.

How a Sniffer Works

On a hub or WiFi, there's nothing special to do. One can also do it on a router or gateway.

In the case of a switch, it's a little different. You should know that switches send packets destined for the broadcast that have MAC addresses not listed in their ARP table (this is often configurable). One can impersonate another machine during the applications of updates to MAC addresses by the switch, and play the role of bridge (then, not to cut the original machine network).

An easier technique to establish is overwhelming the switch by adding queries, as the table of the switch has a limited size - this one will end up behaving like a hub. This technique creates a strong montee in charge of traffic.

We can also forge an ARP request that redefines the default gateway of the switch ( http://naughty.monkey.org/~dugsong//dsniff/ ).

Finally, there are other basic techniques if one has physical access to the switch (port monitoring).

As you know, sniffing can also be used to detect suspicious network traffic

How to Detect Sniffing

Since this technique is passive, it's quite difficult to detect. You can see if a network card is in promiscuous mode, because these cards meet some MAC addresses that do not exist on the network. By forging an ARP request with a destination MAC address not on broadcast, with a fake MAC address, promiscuous mode card traffic will not be filtered, and the kernel will answer it anyway. This technique does not work if the machine in promiscuous mode has no IP or if the machine is not accessible with ARP requests.

In the case of ARP spoofing, using a tool like arpwatch logge will show all suspicious ARP requests immediately.

The best solution is still to encrypt its communications (HTTPS, SSH, VPN...).

Save

Save

Save

Save

Save

Save

Save

Thanks and I hope this will be helpful to you.You might also enjoy Networking Sniffing and How to Defend Against It [Part 2]