A "Packet Sniffer" is a utility that sniffs without modifying or redirecting the data packets. Packet sniffers merely watch, display, and log the traffic of Network.
Network Adapter Card:
Network adapter works in two modes......
Non-promiscuous: Network adapters running in this mode receive only those data packets which is coming for the host computer.
Promiscuous mode: Network adapters running in promiscuous mode receive not only the data directed to the machine hosting, but also all of the traffic on the physically connected local network.
Network Type:
Non-Switched: Sniffing is easy if the network is non-switched. In Non-switched network hub is used. hence each host recieves all the packets coming in the network but discards those which is not coming for it(In non-promiscuous).
Switched: In switched network sniffer is little bit tricky. It can be done by flooding ARP requests which will cause the switch to start behaving like a hub, or other trick that causes switch to redirect traffic to the sniffer system.
ARP Protocol
Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. It does not required authentication.
ARP Cache Poisoning:
Broadcasting forged ARP replies on a local network. In a sense, "fooling" nodes on the network. This can be done because ARP lacks authentication features, thus blindly accepting any request and reply that is received or sent.
MAC Address Flooding:
An ARP cache poisoning attack that is mainly used in switched environments. By flooding a switch with fake MAC addresses, a switch is overloaded. Because of
this, it broadcasts all network traffic to every connected node. This outcome is referred to as "broadcast mode" because, all traffic passing through the switch is broadcasted out like a Hub would do. This then can result in sniffing all network traffic.
Packet Filter:
The Linux kernel implements a generic-purpose protocol, called PF_PACKET, which allows to create a socket that receives packets directly from the network card driver. Hence, any other protocols' handling is skipped, and any packets can be received.
No comments:
Post a Comment