A SEMINAR

ON

PACKET SNIFFING

BY

ONWUMERE UCHE JUSTICE

FCAI/CST/ND/2020/2021/0547

SUBMITTED TO:

THE DEPARTMENT OF COMPUTER SCIENCE, FEDERAL COLLEGE OF

AGRICULTURE ISHIAGU, EBONYI STATE.

IN PARTIAL FULFILMENT OF THE REQUIREMENT FOR THE AWARD OF

NATIONAL DIPLOMA IN COMPUTER SCIENCE, FEDERAL COLLEGE
AGRICULTURE ISHIAGU, EBONYI STATE.

OCTOBER, 2022
 INTRODUCTION

Packet sniffing is a technique of monitoring network traffic. In LANs, packet sniffing and remote

network monitoring (RMON) are well-known techniques used by network administrators to

monitor LAN behavior and diagnose trouble. It is effective on both switched and non switched

networks. In a no switched network environment packet sniffing is an easy thing to do. This is

because network traffic is sent to a hub which broadcasts it to everyone. Switched networks are

completely different in the way they operate. Switches work by sending traffic to the destination

host only. This happens because switches have CAM (Content Addressable Memory) tables. The

CAM table is a system memory construct used by ethernet switch logic to dereference Media

Access Control (MAC) addresses of stations to the ports on which they connect to the switch

itself. Before sending traffic from one host to another on the same local area network, the host’s

ARP cache is first checked. The ARP cache is a table that stores both layer 2 (MAC) addresses

and layer 3 (IP) addresses of hosts on the local network. If the destination host isn’t in the ARP

cache, the source host sends a broadcast ARP request looking for the host. When the host replies,

the traffic can be sent to it. The traffic goes from the source host to the switch, and then directly

to the destination host. This description shows that traffic isn’t broadcast out to every host, but

only to the destination host, therefore it’s harder to sniff traffic. In its simple form a packet

sniffer simply captures all of the packets of data that pass through a given network interface.

Typically, the packet sniffer would only capture packets that were intended for the machine in

question. However, if placed into promiscuous mode, the packet sniffer is also capable of

capturing all packets traversing the network regardless of destination. Promiscuous mode is a

configuration of a network card that makes the card pass all traffic it receives to the central

processing unit rather than just packets addressed to it. By placing a packet sniffer on a network

2
in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic.

Within a given network, username and password information is generally transmitted in clear

text which means that the information would be viewable by analyzing the packets being

transmitted. A packet sniffer, sometimes referred to as a network monitor or network analyzer,

can be used legitimately by a network or system administrator to monitor and troubleshoot

network traffic. Pcap is a network capture file format often used in packet sniffer such as

Ethereal. There are many open source packet sniffer tools available such as tcpdump, wireshark,

ettercap, snort etc.

TYPES OF PACKET SNIFFERS

There are two major types of packet sniffers:

Hardware Packet Sniffers

As the name suggests, it’s a hardware component plugged into a network for packet sniffing or

network analysis purposes. Hardware packet sniffers are commonly used when network

administrators have to analyze or monitor a particular segment of a large network. With a

physical connection, these packet sniffers allow administrators to ensure all packets are captured

without any loss due to routing, filtering, or any other network issue. A hardware packet sniffer

can have the facility to store the packets, or they can be programmed to forward all captured

packers to a centralized location for further analysis.

Software Packet Sniffers

Software Packet Sniffers are the more common type of packet sniffers used by many

organizations. Every computer or node connects to the network using a Network Interface Card

(NIC), which is generally configured to ignore the packets not addressed to it. However, a

Software Packet Sniffer changes this behavior, so one can receive every bit of network traffic for
3
analysis. The NIC configuration is known as promiscuous mode. The amount of information

collected depends on whether the packet sniffer is set on filtered or unfiltered mode.

Depending on the size and complexity of a network, multiple packet sniffers might be required to

monitor and analyze a network effectively. This is because a network adapter can only collect

traffic from one side of a switch or a router. Similarly, in wireless networks, most network

adapters can connect to only a single channel at a given time. To capture packets from other

channels, one has to install multiple packet sniffers.

4
 PACKET SNIFFING AND USE OF PACKET SNIFFING PROGRAMS

Packet sniffing is the act of capturing packets of data flowing across a computer network. Packet

sniffing is to computer networks what wiretapping is to a telephone network. This is done

through the use of packet sniffers, which are devices that can be plugged into a network and used

to eavesdrop on the network traffic. Using the information captured by the packet sniffer an

administrator can identify erroneous packets and use the data to pinpoint bottlenecks and help to

maintain efficient network data transmission. However, it is also widely used by hackers and

crackers to gather information illegally about networks they intend to break into. Using a packet

sniffer it is possible to capture data like passwords, IP addresses, protocols being used on the

network and other information that will help the attacker infiltrate the network. Packet sniffing is

primarily used in intrusion detection, network management, wiretapping and hacking. Password

sniffing programs are most popular packet sniffing program.

Today's networks may already contain built-in sniffing modules. Most hubs support the RMON

standard, which allow the intruder to sniff remotely using SNMP, which has weak

authentication. Many corporations employ Network Associates "Distributed Sniffer Servers",

which are set up with easy to guess passwords. Windows NT machines often have a "Network

Monitoring Agent" installed, which again allows for remote sniffing. A packet sniffing is

difficult to detect, but it can be done. But the difficulty of the solution means that in practice, it is

rarely done. The popularity of packet sniffing stems from the fact that it sees everything. Use of

packet sniffing program includes:

x Logging network traffic.

5
x Solving communication problems such as: finding out why computer A cannot communicate

with computer B. (e.g. the communication may not be possible because of various reasons, such

as a problem in either the system or the transmission medium.) x Analyzing network

performance. This way the bottlenecks present in the network can be discovered, or the part of

the network where data is lost (due to network congestion) can be found. x Retrieving user-

names and passwords of people logging onto the network. x Detecting network intruders.

SNIFFING AROUND THE HUB AND SNIFFING IN A SWITCHED NETWORK

Sniffing around the Hub

Sniffing on a network that has hubs installed is a dream for any packet analyst. Traffic sent

through a hub is sent to every port connected to that hub. Therefore, to analyze a computer on a

hub, just plug in a packet sniffer to an empty port on the hub, and it will allow seeing all

communication to and from all computers connected to that hub. As illustrated in figure 1 [7],

visibility window is limitless when sniffer is connected to a hub network.

Sniffing in a switched network

A switched environment is the most common type of network. Switches provide an efficient

means of transporting data via broadcast, unicast, and multicast traffic. As a bonus, switches

allow full-duplex communication, meaning that machines can send and receive data

simultaneously through a switch. Unfortunately for packet analysts, switches add a whole new

level of complexity to a packet analyst’s job. In a switched network environment, packets are

only sent to the port they are destined to, according to their destination MAC addresses.

6
The advantage of a switched environment is that devices are only sent packets that are meant for

them, meaning that promiscuous devices aren’t able to sniff any additional packets. When sniffer

is plugged to a port on a switch, it will allow to see only broadcast traffic and the traffic

transmitted and received by that machine. There are three primary ways to capture traffic from a

target device on a switched network: port mirroring, hubbing out and ARP cache poisoning.

PACKET SNIFFING METHODS

There are three types of sniffing methods. Some methods work in non-switched networks while

others work in switched networks. The sniffing methods are:

IP-based sniffing

This is the original way of packet sniffing. It works by putting the network card into

promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP

7
address filter isn’t set so it can capture all the packets. This method only works in non-switched

networks

MAC-based sniffing

This method works by putting the network card into promiscuous mode and sniffing all packets

matching the MAC address filter.

ARP-based sniffing

This method works a little different. It doesn’t put the network card into promiscuous mode. This

happens because the ARP protocol is stateless. Because of this, sniffing can be done on a

switched network. To perform this kind of sniffing, first poison the ARP cache of the two hosts

that we want to sniff, identifying yourself as the attacker host in the connection. Once the ARP

caches are poisoned, the two hosts start their connection, but instead of sending the traffic

directly to the other host it gets sent to attacker host. Attacker then logs the traffic and forwards it

to the real intended host on the other side of the connection. This is called a man-in-the-middle

attack. A man-in-the-middle attack is, in the scope of a LAN, a technique where an attacker is

able to redirect all traffic between two hosts of that same LAN for packet sniffing or data

manipulation, without the end hosts being aware of it.

8
 BENEFITS OF PACKET SNIFFING

1. Detecting the Root Cause of a Network Issue

2. Troubleshooting Network Issues

3. Traffic Analysis

4. Bandwidth Management

5. Network Security and Compliance

1. Detecting the Root Cause of a Network Issue

Today, in most enterprise networks, there are several user groups and applications, along with a

complex mix of legacy and next-gen networking equipment. Ensuring all applications and

servers perform without any performance bottlenecks is a huge undertaking. When an

application or a service experiences an issue, it can be a difficult task to identify which network

or application component is responsible for the slowdown. This is why network administrators

monitor their network continuously for routine maintenance and optimization. With packet

sniffers, they can collect information from all points of their network to quickly identify the

components responsible for latency, jitters, or packet loss.

2. Troubleshooting Network Issues

Whenever IT teams receive tickets related to network connectivity, they can perform PCAP

analysis to measure the response times or latency in a network. It helps in determining the

amount of time a packet takes to travel from a sender to a receiver. With this analysis, teams can

identify congested links, detect the applications generating an unusual amount of traffic, and take

remedial actions to resolve the issue. Using modern Wi-Fi packet sniffers, teams can get

9
performance metrics for different access points and wireless controllers. Many advanced network

monitoring tools offer additional features for fault, performance, and network availability

monitoring. It’s also possible to correlate network data across the stack and perform hop-by-hop

network path analysis to troubleshoot network issues and minimize network downtime.

3. Traffic Analysis

IT teams can also collect the packet data for predictive analysis. They can visualize this data to

detect the peaks and troughs in network demand over longer periods. Using advanced IP sniffers

and packet analyzers, they can categorize the data based on destination server IP addresses, ports

involved in communication, the volume of traffic, and more. With all this analysis, it’s possible

to distinguish critical traffic (required for VOIP, ERP suites, CRMs, etc.) from non-business

traffic (social media, unauthorized messengers, etc.). Also, IT administrators can filter and flag

suspicious content.

4. Bandwidth Management

Slow or intermittent networks can significantly impact business productivity and lead to huge

losses. Businesses rely on advanced network monitoring tools to avoid such issues. However,

most of these tools also rely on packet sniffing to analyze the traffic in a network. Packet sniffers

help in preventing the misuse of the network by both internal and external users. As discussed

above, with traffic analysis, IT teams can easily identify the traffic flow and WAN bandwidth

utilization, any irregular increase in network usage, and more. Equipped with this data, they can

prioritize bandwidth allocation for mission-critical applications, and even restrict certain

applications.

10
5. Network Security and Compliance

It’s not rare for threat actors to infiltrate an enterprise network and compromise sensitive data.

However, their activities can also remain hidden for a long period, and many times they use

advanced malware to make malicious use of enterprise resources. Regular traffic analysis allows

the detection of any suspicious increase in outbound traffic flow. Packet sniffers help in

detecting a surge in traffic, attempts at network intrusion, and enable deeper evaluation and

mitigation of security threats. They help in checking the status of WAN and endpoint security

systems. Packet sniffers also help in regulatory compliance documentation by logging all of the

perimeter and endpoint traffic. Moreover, with packet sniffers, security teams can verify the

effectiveness of their security setup consisting of several firewalls, web filters, WAF, IPS/IDS

systems, and more.

11
Prevalence and Risk Factors

Using a sniffer, it's possible to capture almost any information — for example, which websites

that a user visits, what is viewed on the site, the contents and destination of any email along with

details about any downloaded files. Protocol analyzers are often used by companies to keep track

of network use by employees and are also a part of many reputable antivirus software packages.

Outward-facing sniffers scan incoming network traffic for specific elements of malicious code,

helping to prevent computer virus infections and limit the spread of malware.

It's worth noting, however, that these analyzers can also be used for malicious purposes. If a user

is convinced to download malware-laden email attachments or infected files from a website, it's

possible for an unauthorized packet sniffer to be installed on a corporate network. Once in place,

the packet sniffer can record any data transmitted and send it to a command and control (C&C)

server for further analysis. It's then possible for hackers to attempt packet injection or man-in-

the-middle attacks, along with compromising any data that was not encrypted before being sent.

12
 CONCLUSION

When computers communicate over networks, they normally just listen to the

traffic specifically for them. However, network cards have the ability to enter

promiscuous mode, which allows them to listen to all network traffic regardless of

if it’s directed to them. Packet sniffers can capture things like clear-text passwords

and usernames or other sensitive information. Because of this packet sniffers are a

serious matter for network security. Since sniffing is possible on non-switched and

switched networks, it’s a good practice to encrypt your data communications. User

can employ a number of techniques to detect sniffers on the network and protect

the data from sniffers.

13
 REFERENCES

Ryan Spangler, “Packet Sniffing on Layer 2 Switched Local Area Networks”, Packetwatch
Research, December 2003.

Thomas M. Chen, Lucia Hu, “Internet Performance Monitoring”, Proceedings of the IEEE, pp.
1592-1603, VOL. 90, NO. 9, September 2002.

Aaron Lanoy and Gordon W. Romney, “A Virtual Honey Net as a Teaching Resource”, 7th
International Conference on Information Technology Based Higher Education and Training,
(ITHET '06), IEEE, July 2006.

Greg Barnett, Daniel Lopez, Shana Sult, Michael Vanderford, “Packet Sniffing: Network
Wiretapping”, Group project, INFO 3229-001, 2002.

A. Meehan, G. Manes, L. Davis, J. Hale, S. Shenoi, “Packet Sniffing for Automated Chat Room
Monitoring and Evidence Preservation”, Proceedings of the Second annual IEEE Systems,
Man and Cybernetics Information Assurance Workshop, New York, pp. 285-288, June
2001.

Sabeel Ansari, Rajeev S.G., Chandrashekar H.S, “Packet Sniffing: A Brief Introduction”, VOL.
21, pp. 17-19, IEEE, December 2002.

Chris Senders, Practical Packet Analysis, using Wireshark to solve real-world network problems,
No Starch Press Inc, San Francisco, 2007.

Dick Hazeleger, “Packet Sniffing: A Crash Course”, Netherlands, 2001.

Raed Alomoudi, Long Trinh, Darleen Spivey, “Protecting Vulnerabilities or Online Intrusion:
The Efficacy of Packet Sniffing in the Workplace”, Florida Atlantic University ISM 4320,
2004.

14
Ryan Spangler, “Packet Sniffer Detection with AntiSniff”. University of Wisconsin, Department
of Computer and Network Administration, May 2003.

Jorge Belenguer, Carlos T. Calafate, “A low-cost embedded IDS to monitor and prevent Man-in-
the-Middle attacks on wired LAN environments”, International Conference on Emerging
Security Information, Systems and Technologies, IEEE, pp. 122-127, October 2007.

DiabloHorn, Kimatrix, “ARP Poisoning In Practice”., 2008.

Cristina L. Abad, Rafael I. Bonilla, “An Analysis on the Schemes for Detecting and Preventing
ARP Cache Poisoning Attacks”, 27th International Conference on Distributed Computing
Systems Workshops (ICDCSW'07), IEEE,June 2007.

15