# What is Packet Sniffing in Networking?

July 13, 2018

Packets in computer communications can be defined as a quantity of data of limited size. In Internet all traffic travels in the form of packets, the entire file downloads, Web page retrievals, email, all these Internet communications always occur in the form of packets. In the internet, packet is a formatted unit of data carried by a packet mode in computer network Packets are the base of all data sent on the internet, yet they are often used insecurely. Tampering with live packets and the process it takes in order to alter packets traveling along the network are getting easier. Packet sniffing is commonly described as monitoring packets as they go across a network. Packet sniffers are typically software based, but can be hardware pieces installed directly along the network. Sniffers can go beyond network hosts that are seen in local area networks (LAN) that only handle data that is sent specifically to them.

### Basics Overview of Packet Sniffing

Packet sniffing is the act of capturing packets of data flowing across a computer network. The software or device used to do this is called a packet sniffer. Packet sniffing is to computer networks what wiretapping is to a telephone network.  Packet sniffing has legitimate uses to monitor network performance or troubleshoot problems with network communications. However, it is also widely used by hackers and crackers to gather information illegally about networks they intend to break into. Using a packet sniffer it is possible to capture data like passwords, IP addresses, protocols being used on the network and other information that will help the attacker infiltrate the network.

Packet sniffing, or packet analysis, is the process of capturing any data passed over the local network and looking for any information that may be useful. Packet sniffing is a method of tapping each packet as it flows across the network. It is a technique in which a user sniffs data belonging to other users of the network.

A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment.

Today’s networks may already contain built-in sniffing modules. Most hubs support the RMON standard, which allow the intruder to sniff remotely using SNMP, which has weak authentication. Many corporations employ Network Associates “Distributed Sniffer Servers”, which are set up with easy to guess passwords. Windows NT machines often have a “Network Monitoring Agent” installed, which again allows for remote sniffing.

### Packet Sniffing Methods

There are three types of sniffing methods. Some methods work in non-switched networks while others work in switched networks. The sniffing methods are:

• IP-based Sniffing: This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn’t set so it can capture all the packets. This method only works in non-switched networks.
• MAC-based sniffing: This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter.
• ARP-based sniffing: This method works a little different. It doesn’t put the network card into promiscuous mode. This happens because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network. To perform this kind of sniffing, first poison the ARP cache of the two hosts that we want to sniff, identifying yourself as the attacker host in the connection. Once the ARP caches are poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other host it gets sent to attacker host. Attacker then logs the traffic and forwards it to the real intended host on the other side of the connection.

### How Does It Work?

For example, let’s say you’re loading the Web page http://example.com on your computer “PC”. Your computer sends the request by basically shouting “Hey! Somebody get me http: //example.com!” which most nodes simply will ignore. Your switch will pass it on to where it eventually will be received by example.com, which will pass back its index page to the router, which then shouts “Hey! I have http://example.com for PC!”, which again will be ignored by everyone except you. If others were on your switch with a packet sniffer, they’d receive all that traffic and be able to look at it.

Picture it like having a conversation in a bar. You can have a conversation with someone about anything, but other people are around who potentially can eavesdrop on that conversation, and although you thought the conversation was private, eavesdroppers can make use of that information in any way they see fit.

A sniffer basically works by first capturing packets it receives from the network, including those packets intended for other hosts. This can easily be done in a LAN that connects hosts via a hub. That’s because a hub simply forwards all packets entering it to all connected hosts regardless of those packets’ destination addresses.

#### Figure: Packet addressed to PC3 is forwarded by the hub to other hosts in the network

All we will need then to grab packet information is a sniffer running on a connected host equipped with a NIC (network interface card) set to promiscuous mode.

### References

[1] “Sniffer”, available online at: https://www.techopedia.com/definition/4113/sniffer

[2] “Packet Sniffing”, available online at: https://www.colasoft.com/resources/packet_sniffing.php

[3] Adrian Hannah, “Packet Sniffing Basics”, available online at: https://www.linuxjournal.com/content/packet-sniffing-basics

[4] Nimisha P. Patel, Rajan G. Patel, Dr. Dhiren R. Patel, “Packet Sniffing: Network Wiretapping”, 2009 IEEE International Advance Computing Conference (IACC 2009) Patiala, India, 6–7 March 2009

[5] John V., “Countering Packet Sniffers Using Encrypted FTP”, available online at: https://www.jscape.com/blog/bid/91906/Countering-Packet-Sniffers-Using-Encrypted-FTP

$${}$$