The Mighty Sniffer
by Colm Murphy - Technical Director of Espion - Tuesday, 9 January 2007.
One of the most important tools in a security professional's arsenal is the mighty 'sniffer'. Its power is never underestimated, never undervalued. A sniffer is many things to many people. In the right hands it is invaluable, allowing for the analysis of complex traffic passing over the network, in the wrong hands it can be a destructive force, allowing for the capture of confidential or sensitive data as it flows on the wire.

A sniffer, sometimes called protocol or network analysers, is essentially hardware or software that can intercept or log traffic as it passes over the network. It will then decode that data traffic and present it in a easily understandable format, always in accordance with the particular protocol's specifications. A sniffer is the ultimate network 'wire-tap' offering an insight into the black-art of computer conversations

The most common type of network is the Ethernet network. Ethernet was built on the principal that all computers on the same network will share the same 'wire'. As a result, it is potentially possible that any one computer on the network could see all of the traffic on that network, regardless of whether that traffic was destined for it or not. To overcome this possibility, all Ethernet hardware (your network card) is programmed with a 'filter' that instructs it to ignore packets that do not its own MAC address. This has the effect of a single computer only receiving data that has been addressed directly to it, or to the whole network, like broadcast packets.

With sniffing, we essentially turn off or disable the filter, forcing the card into what has been aptly named 'promiscuous mode'. When a network card is operating in promiscuous mode, as long as the traffic is on the same wire, it will see it. And there in lies its power. The sniffing software then translates the captured packets into something more easily understood and displays it in the usual array of fancy ways, depending on the particular software in use.

Sniffers have a wide range of uses. Fault analysis and performance analysis are the two most obvious ways that the purchase of a commercial grade sniffer can be justified. Network intrusion detection is another benefit, in that devices running in promiscuous mode can monitor the network for unusual patterns of traffic, and create alerts or take action as appropriate. More sinister uses are the automatic sifting of clear text passwords from the network, or clear text protocols such as SMTP (email) or HTTP (web). In fact, encrypted passwords can be captured, and cracked offline at a later stage.

SMTP email is notoriously insecure, but despite repeated warnings many people persist in using email as a means to distribute confidential documents or information. A short sharp wake up call may be to demonstrate, through the use of a sniffer, exactly just how easy it is for an unauthorised individual to capture SMTP email from a network.

Many of the more technically adept among you, will surely argue that with the advent of switched networks, sniffing, or at least unauthorised sniffing, have become a thing of the past. Not so. While a switch can provide a good defence against the causual sniffer, it is important to remember that a switch creates a 'broadcast domain' providing an attacker the ability to spoof ARP packets and thus gain access to all of the traffic on the wire.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th