d

Sniffing Networks: The Complete Documentation

• This category contains 22 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Can See you Behind Layer 2... Overcoming the difficulties of Packet Capturing on a Switched Network (I)

Published on 200-09-14, by Douglas Hewes, ©SANS Institute.

In the past most networks utilized concentrators or hubs to connect various clients, servers and other network hosts. These are known as Layer-1 devices, which operate solely on the Physical Layer of the OSI model. These devices worked well for small networks. Essentially a packet went from a networked computer to the hub and then out to all other networked devices. This created a single collision domain, where all devices were able to see all traffic; regardless of whether the traffic was intended for that particular host or not.

Detecting a packet sniffer on an IPV6-enabled Linux system

Published on 2004-10-30, by Rainer Wichmann, ©samhain design labs.

Almost everything that you ever wanted to know about packet sniffers can be found in the Sniffing FAQ [http://www.robertgraham.com/pubs/sniffing-faq.html]. Here I will just focus on the following point: sniffer detection on an IPV6-enabled Linux system.

Detection of Promiscuous Nodes Using ARP Packets

Published on August 31, 2001, by Daiji Sanai, www.securityfriday.com.

The documentation of Promiscuous Node Detection is now available...

DSniff FAQ (Frequently Asked Questions)

Published on 2001-12-07, by Dug Song, ©Dug Song.

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

DSniff FAQ (Frequently Asked Questions)

Published on December 7, 2001, by dugsong, monkey.org.

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Dsniff'n the Mirror

Published on 2001-05-29, by Duane Dunston, ©Duane Dunston.

This is a practical step by step guide showing how to use Dsniff, MRTG, IP Flow Meter, Tcpdump, NTOP, and Ngrep, and others. It also provides a discussion of how and why we should monitor network traffic.

Evading Passive Sniffer Detection With IDS Sensors

Published on 2001-03-30, by Bryan S. Brandt, ©SANS Institute.

As Intrusion Detection (ID) technology has progressed, so too has it been increasingly considered a viable aspect of the "defense in depth" ideology. While ID may not necessarily be viewed as a definitively mature technology, there are certainly a multitude of options from which to choose. Each of the available Intrusion Detection Systems (IDS) offers a unique combination of capability, configuration options, and, of course, price.

Finding dsniff on Your Network

Published on 2001-11-28, by Richard Duffy, ©SANS Institute.

This paper covers some ways to detect dsniff and two of its utilities, arpspoof and macof, on a network. Arpspoof and macof tools were used with dsniff to determine if dsniff could be detected. The following programs were used to detect various aspects of dsniff: Arpwatch, ZoneAlarm, Antisniff and tcpdump. Our existing Fluke network test equipment was connected to the network to evaluate what indicators each could provide about dsniff and its tools.

Gigabit NCAP: High-Performance Packet Sniffing on Commodity Hardware

Published on 2003, by Sergei Egorov and Gene Savchuk, ©Fidelis Security Systems, Inc..

We have developed a high-performance Network Content Analysis Platform (NCAP) suitable for a variety of applications requiring access to all layers of network traffic including the content of TCP/IP network data exchanges. NCAP is capable of operating on fully saturated Gigabit traffic using commodity hardware (multiprocessor Intel/Linux boxes with Gigabit NICs). NCAP architecture is scalable; it allows for effective utilization of multiple CPUs in SMP configuration by breaking up the network sniffing and analytical applications into several modules communicating via IPC. While very few technologies used in NCAP are particularly new by themselves, we believe that the architectural solution in general and in many details is original and produces excellent results in realistic high-speed network environments. The white paper describes the architecture in detail and provides benchmarking results and comparison with relevant components of popular open-source solutions.

Improving Passive Packet Capture:

Published on , by Luca Deri, Luca Deri.

Passive packet capture is necessary for many activities including network debugging and monitoring. With the advent of fast gigabit networks, packet capture is becoming a problem even on PCs due to the poor performance of popular OSs. The introduction of device polling has improved the capture process quite a bit but not really solved the problem. This paper proposes a new approach to passive packet capture that combined with device polling further improves it and allows, on fast machines, packets to be captured at (almost) wire speed.

Introduction to dsniff

Published on June 1, 2001, by Lora Danielle, SANS Institute.

Network sniffing is an important tool for monitoring network activity. Conversely, it is also a tool that can be used to exploit network resources. Dug Song?s dsniff and the utilities provided within the dsniff suite overcome the obstacles that previously provided security in a switched environment. In the following discussion, I will review how shared and switched network environments work and explain the manner in which sniffing can be used in each environment. Next I will discuss the countermeasures that can be taken to prevent and detect sniffing in a switched environment. In addition, I will introduce dsniff and explain the suite of utilities included with dsniff. Finally, I will give an explanation of how to install and use the dsniff tools on a switched network.

Introduction to Sniffers and Sniffing (An)

Published on 2004, by Michael Jastremski, ©Michael Jastremski.

This document provides an introduction to some of the issues related to LAN ethernet sniffing.

Also provided is an overview of some commonly used sniffing tools and defenses.

Network Monitoring with Dsniff

Published on 2001-05-29, by Duane Dunston, GSEC.

This is a practical step by step guide showing how to use Dsniff, MRTG, IP Flow Meter, Tcpdump, NTOP, and Ngrep, and others. It also provides a discussion of how and why we should monitor network traffic.

Packet Sniffing In a Switched Environment

Published on 2002-08-02, by Tom King, ©SANS Institute.

This paper focuses on the threat of packet sniffing in a switched environment, and briefly explores the effect in a non-switched environment. Detail is given on a number of techniques, such as "ARP (Address Resolution Protocol) spoofing", which can allow an attacker to eavesdrop on network traffic in a switched environment.

Third party tools exist that permit sniffing on a switched network. The result of running some of these tools on an isolated, switched network is presented, and clearly demonstrates that the threat they pose is real and significant.

The final section covers ways to mitigate the threat of network sniffing in both nonswitched and switched environments. The thesis of this paper is that encryption is the only true defence to the threat of sniffing.

Packet Sniffing on Layer 2 Switched Local Area Networks

Published on 2003-12-01, by Ryan Spangler, ©Packetwatch Research.

Packet sniffing is a technique of monitoring network traffic. It is effective on both switched and nonswitched networks. This paper discusses several methods that result in packet sniffing on Layer 2 switched networks. Each of the sniffing methods will be explained in detail. The purpose of the paper is to show how sniffing can be accomplished on switched networks, and to understand how it can be prevented.

Penetration Testing with dsniff

Published on February 18, 2001, by Christopher R. Russel, ©SANS Institute.

The ability to access the raw packets on a network interface (known as network sniffing), has long been an important tool for system and network administrators. For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted. Dsniff, as the name implies, is a network sniffer - but designed for testing of a different sort. Written by hacker Dug Song, dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information, such as usernames and passwords, web pages being visited, contents of email, and more. Additionally, it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible, not just traffic involving the host dsniff is running on.

Promiscuous node detection using ARP packets

Published on July 12, 2001, by Daiji Sanai, www.blackhat.com.

Packet sniffing is a serious security issue for a local network. Malicious users on a local network can capture nearby user's data by using sniffers on a PC. Since, just about anyone can easily install and operate a sniffer it is especially dangerous. I will discuss a technique to detect promiscuous nodes running on local networks. It is a very practical method, because it does not greatly influence the load of the network and it can list doubtful nodes in a short amount of time. This techniques is effective for use with the common operating systems Windows and Linux.

Sniffer Detection Tools and Countermeasures

Published on 2000-10-19, by Dexter Lindstrom, ©SANS Institute.

This paper focuses on tools designed specificall

Sniffing (network wiretap, sniffer) FAQ

Published on September 14, 2000, by Robert Graham, ©Robert Graham.

This document answers questions about eavesdropping on computer networks (a.k.a. "sniffing").

Sniffing A Cable Modem Network: Possible or Myth?

Published on March 5, 2002, by Bryan S. Brandt, SANS Institute.

There are a growing number of warnings from various sources regarding the security threats associated with cable modems. This paper focuses primarily on the threat of malicious users sniffing on a cable modem network. Most of these warnings about sniffing cable modem networks emphasize the fact that the physical media employed by the cable modem network is a shared medium. I contend that these warnings are unfounded.

Sniffing with Net::Cap to stealthily managing iptables rules remotely, Part 1

Published on July 30, 2003, by Brian Hatch, ©Hacking Linux Exposed.

Net::Pcap allows you to process captured network packets and set up routines to process them in any mode imaginable.

Using a Compromised Router to Capture Network Traffic

Published on July 12, 2002, by David Taylor, ©David Taylor.

This document details the approach, methodology and results of recent experimentation into the use of a captured perimeter router as a tool for network traffic capture.