A Research Study on Packet Sniffing Tool TCPDUMP

Size: px

Start display at page:

Download "A Research Study on Packet Sniffing Tool TCPDUMP"

Gervais Grant
8 years ago
Views:

1 A Research Study on Packet Sniffing Tool TCPDUMP ANSHUL GUPTA SURESH GYAN VIHAR UNIVERSITY, INDIA ABSTRACT Packet sniffer is a technique of monitoring every packet that crosses the network. By using this developers can easily obtain the information of the packet, such as structures, types, sizes and data. Consequently, developers will find and correct errors rapidly and conveniently. Packet sniffer is a program running in a network attached device that passively receives all data link layer frames passing through the device's network adapter. It is also known as network analyzer, protocol analyzer or packet analyzer, or for particular types of networks, an Ethernet sniffer or wireless sniffer. The packet sniffer captures the data that is addressed to other machines, saving it for later analysis. Most of the time, we system administrators use packet sniffing to troubleshoot network problems like finding out why traffic is so slow in one part of the network. Capturing, or sniffing, network traffic is invaluable for network administrators troubleshooting network problems, security engineers investigating network security issues, developers debugging communication protocol implementations, or anyone trying to learn how their networks work. Because attackers use sniffers for network reconnaissance and to intercept transmitted credentials and data, learning about the capabilities and limitations of packet sniffers is an important facet of understanding the security risks. INTRODUCTION A packet sniffer is a tool that plugs into a computer network and monitors all network traffic. It monitors traffic destined to itself as well as to all other hosts on the network. Packet sniffers can be run on both non-switched and switched networks. Each machine on a local network has its own hardware address which differs from other machines. When a packet is sent, it will be transmitted to all available machines on local network. Owing to the shared principle of Ethernet, all computers on a local network share the same wire, so in normal situation, all machines on network can see the traffic passing through but will be unresponsive to those packets do not belong to themselves by just ignoring. However, if the network interface of a machine is in promiscuous mode, the NIC of this machine can take over all packets and a frame it receives on network, namely this machine (involving its software) is a sniffer. When a packet is received by a NIC, it first compares the MAC address of the packet to its own. If the MAC address matches, it accepts the packet otherwise filters it. This is due to the network card discarding all the packets that do not contain its own MAC address, an operation mode called no promiscuous, which basically means that each network card is minding its own business and reading only the frames directed to it. In order to capture the packets, NIC has to be set in the promiscuous mode. Packet sniffers which do Volume 01 No.49, Issue: 06 Page 172

Packet sniffer is a program running in a network attached device that passively receives all data link layer frames passing through the device's network adapter.

2 sniffing by setting the NIC card of its own system to promiscuous mode, and hence receives all packets even they are not intended for it. So, packet sniffer captures the packets by setting the NIC card into promiscuous mode the packet arriving at the NIC are copied to the device driver memory, which is then passed to the kernel buffer from where it is used by the user application. Here is a good set of definitions I found on the two types of Ethernet environments. How does a packet sniffer work A packet sniffer works by looking at every packet sent in the network, including packets not intended for itself. This is accomplished in a variety of ways. These sniffing methods will be described below. Sniffers also work differently depending on the type of network they are in. Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus, any machine in such an environment placed in promiscuous mode will be able to capture packets meant for other

from where it is used by the user application. Here is a good set of definitions I found on the two types of Ethernet environments.

3 machines and can therefore listen to all the traffic on the network. Switched Ethernet: An Ethernet environment in which the hosts are connected to a switch instead of a hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's MAC address and delivers packets destined for a particular machine to the port on which that machine is connected. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast to all the machines on the network, as in the previous case. This switched Ethernet environment was intended for better network performance, but as an added benefit, a machine in promiscuous mode will not work here. As a result of this, most network administrators assume that sniffers don't work in a Switched Environment. Current Tools There are currently many software packages that can take packet traces, but they tend to be aimed at individual network segments, and tend to leave the analysis to the operator of the packet sniffer. One of the most basic tools for analyzing packets is tcpdump. Tcpdump runs from the command line and uses the libpcap module, which is an API for packet capture and analysis. The program attempts to present packets in a more readable format, by decoding formats such as TCP (Transmission Control Protocol) and IP (Internet Protocol) headers to present them in a more user

The switch maintains a table keeping track of each computer's MAC address and delivers packets destined for a particular machine to the port on which that machine is connected.

4 friendly way. This type of software is known as a protocol analyzer, since it combines the ability to retrieve packets from networks, but also to decompose the relevant protocols to make analysis more relevant. SNIFFING METHODS There are three types of sniffing methods. Some methods work in non-switched networks while others work in switched networks. The sniffing methods are: IP-based sniffing, MAC-based sniffing, and ARP-based sniffing IP-based sniffing This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn t set so it can capture all the packets. This method only works in non-switched networks MAC-based sniffing This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter ARP-based sniffing This method works a little different. It doesn t put the network card into promiscuous mode. This isn t necessary because ARP packets will be sent to us. This happens because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network. To perform this kind of sniffing, you first have to poison the ARP cache1 of the two hosts that you want to sniff, identifying yourself as the other host in the connection. Once the ARP caches are poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other host it gets sent to us. We then log the traffic and forward it to the real intended host on the other side of the connection. This is called a man-in-the-middle attack. See Diagram 1 for a general idea of the way it works.[2,3,5] What type of an attack is it A sniffer being used on a network to snoop passwords and anything else is considered to be a passive attack. A passive attack is one that doesn't directly intruder onto a foreign network or computer. Using a sniffer as an example one is set up in hopes of catching desired information including logins and passwords on the other hand, an active attack directly interfaces with a remote machine. Remote buffer overflows, network floods and other similar attack fall under the category of an active attack. By nature, passive attacks are not meant to be discovered by the persons being attacked. At no point should they have indication of your activity. This makes sniffers just as serious as any active attack REFERENCES 1. Research paper proceeding of the 2 nd National Conference; INDIACom-2008 by Rupal Sinha, D.K. Mishra 2. Implementation of IEEE Packet Analyzer

SNIFFING METHODS There are three types of sniffing methods. Some methods work in non-switched networks while others work in switched networks.

5 3. A Distributed Network Performance and Traffic Analyzer by Andrew Thomas 4. Packet Sniffer Detection with AntiSniff by Ryan Spangler, University of Wisconsin - Whitewater 5. Packet Sniffing Basics Linux Journal by Adrian Hannah 6. Linux Journal on Tcpdump 7. RFC Improving Passive Packet Capture Beyond Device Polling by Luca Deri NETikos S.p.A. Volume 01 No.49, Issue: 06 Page 174

Packet Sniffing Basics Linux Journal by Adrian Hannah 6. Linux Journal on Tcpdump 7. RFC 1761 8.

Packet Sniffer Detection with AntiSniff

Packet Sniffer Detection with AntiSniff Ryan Spangler University of Wisconsin - Whitewater Department of Computer and Network Administration May 2003 Abstract Packet sniffing is a technique of monitoring every packet that crosses the network.