Packet Sniffing - 2

“protocol decoding and surveillance”

SuraSoft Featured 

Try eSearch
Suggested links

Part 2 -  When packet sniffing will work and won't work

Also see part 1

Basically to successfully sniff you have to be on a LAN that is connected with a hub and not a switch. Computers can be physically connected in many ways. If they are connected using a Hub then here is what happens. If there were 4 computers (A, B, C & D) and A wanted to send something to D then it goes through the hub. But the hub doesn't know where D is. So the hub "re-transmits" what A sent to all other computers. Computers B and C should ignore this data since the packet says it's for D. Computer D will obviously accept the data.

You can probably see the security issue here, since other computers nearly have direct access to data that's not meant for them. A packet sniffer can put your network card into promiscuous mode. In this mode the data not meant for that computer will silently pass through the system and thus allows for the packet sniffer to log data!

When computers are connected via a switch and not a hub then things are different. A switch actually knows which computers are connected to it. The switch also knows where the computers are. So when A sends something to D the data goes to the switch and it will send it directly to D without passing by B or C. So you cannot sniff data by installing a sniffer on computer B or C. Thus when functioning as intended a switch provides good sniffer protection!

Switches WON'T prevent sniffing - they make it harder)


There is a super important point to understand with sniffing and "switches". Whilst switches appear to protect against sniffers THERE ARE WAYS to "trick" the switch which can enable you to start sniffing. You can flood the switch with ARP requests which will cause the switch to start behaving like a hub, or you can trick the switch to redirect traffic to the sniffer system.

How do I prevent my data being sniffed?

Many services on the internet send data in the plain text. By default POP mail, SMTP (for sending mail) send data in clear text. The same applies for FTP, Telnet and News clients. ICQ, MSN and AOL Instant messengers send passwords again in clear text. In fact most services send passwords this way.

Ways to secure yourself

  1. When logging into to mail services check to see if your mail client supports encrypted login's. The server has to  support this setting too, so check with them.
  2. Even if you login securely (above) any e-mail you send is still in clear text, anyone on the path that the mail travels through can technically read it. Use Encryption to encrypt the message. PGP (www.pgpi.org) is the popular application for this
  3. When shopping on-line make sure the store has a "secure" connection for submitting credit card details. Generally SSL 128bit encryption is the standard.
  4. Telnet sends password and normal data in plain text. If your server supports SSH then use this instead of Telnet since the connection is encrypted.

If possible use a Switch rather than a HUB on a LAN. This provides extremely efficient protection in practice (more work required to successfully sniff). This method is a frontline defence but it shouldn't be a method fully relied upon.

It's near impossible to detect that a packet sniffer is sniffing a connection. This is a passive act, the data is "logged" but unaltered. There are some methods of determining a packet sniffer, however they cannot conclude 100% what they found. A major clue that that sniffing MAY be taking place is the fact that many DNS lookup's are taking place. (i.e., the sniffer is attempting to convert IP addresses to host names) however this is only an indication for there may be other reasons as to why this may occur.

Another, stronger method of detecting if a packet sniffer is operating is to send an ARP request to the device in question to determine if it's in promiscuous mode. A packet which is not destined for your computer will be stopped at the hardware level if promiscuous mode is not on. The "device" in most cases is the network card of the computer running the sniffer.

Go to part 1