News Register Control Panel Private Messages Members List Team Search News Posts About Us
 

An introduction to packet sniffing
  Author: noODle
Added: 06/22/2003
Type: Tutorial
Viewed: 2517 time(s)
Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10Average visitor rating of 9.7/10
Packet sniffing. An introduction

A packet sniffer is a wiretap that eavesdrops network traffic.

Now as you have read in the TCP tutorial packets travel through the internet individualy. They contain lots of info. Once it hits the wires it is mere pulses. Most packet sniffers work at the ethernetnet level of the network.
Ethernet defines the way the data gets transmitted and sniffers catch this.
Ethernet actually uses sublayers to transmit data.
The physical takes care of the wires.
The logical retransmits data if neccesary.
The MAC is responsible for the formating of the data once it hits the wires.
Now you have probably heard the term MAC before but what exactly is it?
MAC stands for Media Acces Control. Your ethernet adapter has an ethernet (mac) address.
In windows you can check this by typing 'winipcfg' from a run box and choosing the appropriate network adapter (ipconfig /all for NT). This adress is a 48 bit number, displayed in Hex. The number is divided into two sections and should provide a unique adress for every network adapter.
The first halve identifies the manufacturer of the NIC and the second provides a serial number.
Now once an ethernet packet enters the wires it contains the following data:
Source MAC
Destination MAC
:HEX code:
IP packet
CRC

Explanation follows:

Simple.

The source and destination MAC should be clear.
The HEX code contains hexidecimal values so that the recieving computer knows what to do with it.

/*note: ethernet works with different protocols like netbeui and ipx/spx
The IP packet is the incapsulated "".
CRC, Webopedia says this:
Abbreviation of cyclic redundancy check, a common technique for detecting data transmission errors.

More.

TCP/IP decides, after negotiation, how to transmit data and then turns packets over to ethernet. Ethernet puts the right wrappings around it and sends it to the next destination. Once a packet hits the next destination, ethernet deciphers it and hands over control to the appropriate protocol. It might be forwarded, the protocol decides.
The Adres Resolution Protocol which is defined in: (rfc's are available from rfc-editor.org) might be worth checking out.
Typing arp -a from a command prompt gives you some information too.

So once a packet hits the ethernet wires it looks like this:
[ethernet[ip[tcp]]].
Packets vary in size. Sniffing on complete packets would not be a logic thing to do.
There are various reason you would like to sniff the network:
- Intrusion detection
- Network fault analysis
- Spying on conversation
- Stealing passwords
- Curiosity
Now normally when your box recieves a packet that should be forwarded that is the only thing done. A sniffer will capture data for analysis and send it through to the destination anyway. That makes it hard to detect sniffer attacks. A good placed sniffer can collect tons of valuable information. You could for example use a sniffer to find out what data you transmit to MS when you use update.
Now any good sniffer will decode the packets it filters for you and give you somewhat readable text. It will help you a great deal if you know your way around the various numbersystems as well as ascii.

To use a sniffer to attack somebody you will have to break in on the conversation somewhere.
That means either the victim or the victims ISP's computer.
Setting up an ICMP redirect could also do the trick.

Different protocols send passwords in clear text over the wires. These include:
Ftp
Telnet/rlogin
Http
POP.

Now to get you started you could get Windump which is the Windows porting off the popular Unix based Tcpdump.
Windump is available from http://windump.polito.it
It comes as source code distribution as well as binary.
Read the online manual for the parameters.
For a quick start 'windump -D (gives you available adapters)
windump -i 1 (starts windump with the first listed adapter)

Now after you capture packets you will have to use some sort of protocol analyzer to decode it.
Some sniffers include these where others do not.



Here come some sources where you can obtain packet-sniffers (msdos/windows):

ethereal: http://www.ethereal.com/
etherpeek: http://www.wildpackets.com/
gobbler: http://nmrc.org/files/msdos/gobbler.zip
ethload: ftp://ftp.simtel.net/pub/simtelnet/...an/ethld200.izp

(linux):
tcpdump: http://www.tcpdump.org/
LinSniff: http://packetstorm.securify.com/

There are lots more but this will get you going.

Recommended reading:

RFC's
TCP illustrated.
OSI referance.
sniffing-faq.html

That concludes it.
Note that this was written to give a primer on the workings off packetsniffing.
I do not encourage illegal activity nor take responsibility for actions taken after reading this text.


noODle


Article Pages:  1  




How would you rate this article:    Bad Good   Go  


Copyright Linux Advisory 2003. All rights reserved.
We are not responsible for the comment and story contributed by users.