In short, packet sniffing is the method used to see all kinds of information as is passes over the network it is linked to, but how does a packet sniffer work?
A packet sniffer is a piece of software or hardware capable of monitoring all network traffic. It is able to capture all incoming and outgoing traffic for example clear-text passwords, user names and other private or sensitive details. Packet sniffing is a form of wire-tap applied to computer networks instead of phone networks. It came into vogue with Ethernet, which is known as a "shared medium" network. This means that traffic on a segment passes by all hosts attached to that segment. Ethernet hardware contained a filter that prevented the host machine from actually seeing any other traffic than that belonging to the host. Sniffing programs turn off the filter, and thus see everyones traffic. In the scheme of things, a computer usually only examines a packet of data that corresponds to the computer’s address but with a packet sniffer you are able to set the network interface to ‘promiscuous mode’. In this case it examines ALL available information passing through it. As the data passes through the system it is copied and stored in memory or on a hard drive. The copies are then able to be studied and the information analyzed. The captured information is decoded from raw digital form into a human-readable format that permits users of the protocol analyzer to easily review the exchanged information As soon as you connect to the internet, you ‘sign on’ to a network that is under the watch of your ISP. This network can communicate with other networks and in short forms the basis of the internet. If a packet sniffer is located at a server owned by your ISP, it has the potential to gain access to: * The web sites visited.
* What is searched for on the site.
* Your e-mail recipients.
* The contents of your mail.
* Any files you download.
* A list of your audio, video and telephony options.
* A list of visitors to your website.
Switched vs. Non-Switched
In a non-switched network environment packet sniffing is an easy thing to do. This is because network traffic is sent to a hub which broadcasts it to everyone. Switched networks are completely different in the way they operate. Switches work by sending traffic to the destination host only. This happens because switches have CAM tables. These tables store information like MAC addresses, switch ports, and VLAN information . Before sending traffic from one host to another on the same local area network, the host ARP cache is first checked. The ARP cache is a table that stores both Layer 2 (MAC) addresses and Layer 3 (IP) addresses of hosts on the local network. If the destination host isn’t in the ARP cache, the source host sends a broadcast ARP request looking for the host. When the host replies,the traffic can be sent to it. The traffic goes from the source host to the switch, and then directly to the destination host. This description shows that traffic isn’t broadcast out to every host, but only to the destination host, therefore it’s harder to sniff traffic.
Passive Vs. Active Sniffing
Sniffers are a powerful piece of software. They have the capability to place the hosting system’s network card into promiscuous mode. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it.
If you are on a hub, a lot of traffic can potentially be affected. Hubs see all the traffic in that particular collision domain. Sniffing performed on a hub is known as passive sniffing.
Passive sniffing is performed when the user is on a hub. Because the user is on a hub, all traffic is sent to all ports. All the attacker must do is to start the sniffer and just wait for someone on the same collision domain to start sending or receiving data. Collision domain is a logical area of the network in which one or more data packets can...