Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Sniffing Packets

A network of computers and peripherals communicate in a very logical and predictable manner defined by a standard called the OSI Model. By adhering to the rules of behavior set out in this model, manufacturers can build multiple products that can seamlessly connect to each other.

Messages and data travel in 'packets' that are similar in concept to envelopes in a postal system. Imagine that you have a large letter for your mum, but there are too many pages of text to fit in a single envelope. So you take out as many envelopes as required, number them in order as 1 of 6, 2 of 6 and so forth. You then affix to each an address for your mum, and a return address in the case of non-delivery.

The protocols of the OSI Model are analogous to the work practice of the postman in his/her post office. These are the questions that must be answered:

Question 1 - does the address for mum exist?
Question 2 - what route is required to send a letter there?
Question 3 - can it be delivered - is anyone at home?
Action - send the letters.

Now, because there are six letters, there is no guarantee that the same postal sorter will handle them all, or that they will all arrive together. If mum does not receive all six, she can complain and the postal system will request that you send them again. If she does get them all then she can arrange them in order and read them.

So how do we establish addresses on a network?

Each computer attached to a network typically has three pieces of information that identify it. There is a private unique address associated with the hardware, called a MAC address. There is an Internet Protocol (IP) address that identifies the computer on the network to which it is attached at a given time. And there is the computer name.

As a rule the MAC address remains unchanged, the IP address changes each time the computer is attached to a different address, and any administrative user can change the name of a computer at will.

So why all the addressing?

Think of things this way. Suppose you have a camper van that has a state registration number; this is like a MAC address. You like to drive from camper site to camper site and stay over for a while. Each site has a different street address, and within each site there are numbered bays where you park and plug in. This is like an IP Address. The name is what you choose to call the camper; last year you might have had 'Bingo Bob' painted on your van, but this year it's 'Elenora'.

For Big Brother to find you, he needs to keep track of your combined registration information and the site and bay in which you are parked. This list, in the techno world, is called the Address Resolution Protocol (ARP) list. Devices connected to a network maintain an up-to-date ARP listing so that the postman doesn't get lost.

Now we can also have two types of postman: one who likes to meet and chat with everyone and is not discreet, or another that is very efficient and very discreet.

In the former case, the postman knocks at every dwelling in the estate and shows the contents of the letters to anyone who answers the door. In network terms, we would say that our data was being routed on a non-switched network. In the latter case, our discreet postman delivers the letters to your mum only. This form of direct routing occurs on a switched network.

A network that is non-switched is open to very simple form of hacking. If I am sitting on such a network and I am running a program named TCPDUMP, I can operate in "promiscuous mode" to see network packets (our open letters) destined for all PCs on that network. If a user on a PC on the network is logging into a site that does not use SSL, then the username and password will be retrieved by a program such as TCPDUMP, or a more focused cousin named DSNIFF.

ARP Poisoning

Let's take an example to highlight the issue. The following is a command to TCPDUMP to listen for all traffic destined for Google and to write the information retrieved to a file called goog.txt.

This is like the example of our chatty postman who shows everybody our mail.

Sniffing Packets, Continued

Now open up google and run a query:

Sniffing Packets, Continued

If we look at the contents of our goog.txt file we find:

Sniffing Packets, Continued

If I'm on a switched network, it means that traffic is routed directly to the intended PC. Since my PC is not in the 'path' to listen to switched traffic, I need to do something to get the target computers to communicate with me. I need to confuse the postman into thinking that all the post traveling between houses A and B should actually go through me.

It is the nature of a network that connected machines need to request addressing information from other machines to enable communication. Once this is established, each machine retains an ARP cache that contains an address list of other connected machines that it needs to talk to regularly. This information is acquired on an as need basis; otherwise, every machine on the Internet would have the address of every other machine whether or not it needed to communicate with it.

Say that PC-A is talking to PC-B. Each of these computers has an IP (Internet protocol) address, and a MAC address.

Sniffing Packets, Continued

These machines have requested addressing information from each other and updated that data in their respective ARP cache.

To get into the path between these two machines I need to identify the actual information of each, which can be achieved by sending a PING to each machine. At this point, my machine information is as follows:

Sniffing Packets, Continued

Now, I generate an ARP reply to each target machine - irrespective of whether their machine actually made an ARP request - causing the cache on each machine to be updated with the information that I send to it.

Sniffing Packets, Continued

I have "poisoned" the ARP cache in both PC-A and PC-B so that PC-A thinks that I am PC-B, and PC-B thinks that I am PC-A. What we have just described is called ARP Poisoning, and it effectively allows me to be the Man in the Middle (MITM) intercepting all traffic between PC A and PC B.

What's required for the job? A few simple programs: PING, ARP, NMAP (if you are not sure of the machine that you need to target) and a packet injection program such as NEMESIS or ETTERCAP. An informative resource describing the process for techies can be found here.

Sniffing Packets, Continued

The above book also has a very concise description of the process, and the diagrams above were inspired from its content.

Both of these resources require a level of technical knowledge. If you use the techniques without knowing the potential pitfalls, or do so illegally, then you should expect someone to get upset with you when your network segment crashes, or you are reported for unethical activity. You've been warned!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2