A Technical Seminar Report

On
PACKET SNIFFING

Submitted in Partial fulfillment of the requirement for the award of the degree in

Bachelor of Technology in
Department of Electronics and Computer Engineering

SUBMITTED
By
CHINTHAKINDI SOMESH - 19671A1906

J.B. INSTITUTE OF ENGINEERING & TECHNOLOGY

(UGC Autonomous &Accredited by NBA & NAAC, Approved by AICTE &
Affiliated to JNTU, Hyderabad)
DEPARTMENT OF ELECTRONICS AND COMPUTER ENGINEERING
Yenkapally(V),Moinabad (M).

R.R.(Dist)- 500075

2019-2023
 J.B. INSTITUTE OF ENGINEERING &TECHNOLOGY
(UGC Autonomous & Accredited by NBA & NAAC, Approved by Affiliated to JNTU,
HYDERABAD)

DEPARTMENT OF ELECTRONICS AND COMPUTER ENGINEERING

CERTIFICATE

This is to certify that the Technical Seminar Report on “PACKET SNIFFING” is work done by
CHINTHAKINDI SOMESH, 19671A1906, in partial fulfillment of the requirementof the award
for the degree of Bachelor of Technology in “Electronics and Computers Engineering“, during the
academic year 2022-2023.

Head of the Department

Dr.Narsappa Reddy
Associate Professor
 ACKNOWLEDGEMENT

I profoundly thank all my faculty members for their dynamic invaluable technical guidance and
constant encouragement without which the technical report would not have been possible. I proudly
thank Dr.Narsappa Reddy, HOD of ECM Department, for this support and co-operation for the
completion of this report.

CHINTHAKINDI SOMESH
19671A1906

3
 ABSTRACT

A packet sniffer, the network analyzer, is a wire-tap device that plugs into computer networks and

eavesdrops on the network traffic. To capture the information going over the network is called

sniffing. It is a "sniffing" program that lets someone listen in on computer conversations. However,

computer conversations consist of apparently random binary data. Therefore, network wiretap

programs also come with a feature known as "protocol analysis", which allow them to "decode" the

computer traffic and make sense of it. These tools known as network sniffers are named after a

product called the Sniffer Network Analyzer. Introduced in 1988 by Network General Corp. (now

Network Associates Inc.), the Sniffer was one of the first devices that let managers sit at their desks

and take the pulse of the larger network. The original sniffers read the message headers of data

packets on the network, giving administrators details about the addresses of senders and receivers,

file sizes and other low-level information about those packets, in addition to verifying transmission.

Using graphs and text-based descriptions, sniffers helped network managers evaluate and diagnose

performance problems with servers, the network wire, hubs and applications.

Packet sniffing is a powerful technique used for capturing, analyzing, and monitoring network traffic.

It involves capturing data packets as they travel across a network, and then examining their contents

to gain insight into the nature of the traffic. Packet sniffing has numerous applications, including

network troubleshooting, security monitoring, and performance analysis. However, packet sniffing

can also be used for malicious purposes, such as stealing sensitive information or conducting denial-

of-service attacks.

4
 1. INTRODUCTION

Packet sniffing is a technique of monitoring every packet that crosses the network. A packet sniffer

is a piece of software or hardware that monitors all network traffic. This is unlike standard network

hosts that only receive traffic sent specifically to them. The security threat presented by sniffers is

their ability to capture all incoming and outgoing traffic, including clear-text passwords and user

names or other sensitive material. In theory, it’s impossible to detect these sniffing tools because they

are passive in nature, meaning that they only collect data. While they can be fully passive, some

aren’t therefore they can be detected. This paper discusses the different packet sniffing methods and

explains how Anti-Sniff tries to detect these sniffing programs In this report, we will explore the

technical aspects of packet sniffing, including its methodology, tools, and potential security risks. We

will also discuss how packet sniffing can be used for performance analysis, and examine the legal and

ethical considerations surrounding the use of packet sniffing

5
 2.WORKING OF PACKET SNIFFER

A packet sniffer works by looking at every packet sent in the network, including packets not intended

for itself. This is accomplished in a variety of ways. These sniffing methods will be described below.

Sniffers also work differently depending on the type of network they are in Shared Ethernet: In a

shared Ethernet environment, all hosts are connected to the same bus and compete with one another

for bandwidth. In such an environment packets meant for one machine are received by all the other

machines. Thus, any machine in such an environment placed in promiscuous mode will be able to

capture packets meant for other machines and can therefore listen to all the traffic on the network.

Switched Ethernet: An Ethernet environment in which the hosts are connected to a switch instead of a

hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's

MAC address and delivers packets destined for a particular machine to the port on which that

machine is connected. The switch is an intelligent device that sends packets to the destined computer

only and does not broadcast to all the machines on the network, as in the previous case. This switched

Ethernet environment was intended for better network performance, but as an added benefit, a

machine in promiscuous mode will not work here. As a result of this, most network administrators

assume that sniffers don't work in a Switched Environment.

6
 3.USES OF PACKET SNIFFERS

programs are found in two forms.

1) Commercial packet sniffers are used to help maintain networks.

2) Underground packet sniffers are used by attackers to gain unauthorized access to remote hosts.

Listed below are some common uses of sniffing programs:

• Searching for clear-text usernames and passwords from the network.

• Conversion of network traffic into human readable form

. • Network analysis to find bottlenecks.

• Network intrusion detection to monitor for attackers. Using a sniffer in an illegitimate way is

considered a passive attack. It does not directly interface or connect to any other systems on the

network. However, the computer that the sniffer is installed on could have been compromised using

an active attack. The passive nature of sniffers is what makes detecting them so difficult. The

following list describes a few reasons why intruders are using sniffers on the network:

Capturing clear-text usernames and passwords

Compromising proprietary information

Capturing and replaying Voice over IP telephone conversations

Mapping a network

Passive OS fingerprinting

Obviously, these are illegal uses of a sniffer, unless you are a penetration tester whose job it is to find

these types of weaknesses and report them to an organization. For sniffing to occur, an intruder must

first gain access to the communication cable of the systems that are of interest. This means being on

the same shared network segment, or tapping into the cable somewhere between the paths of

7
communications. If the intruder is not physically present at the target system or communications

access point, there are still ways to sniff network traffic. These include:

Breaking into a target computer and installing remotely controlled sniffing software.

Breaking into a communications access point, such as an Internet Service Provider (ISP) and

installing sniffing software.

Locating/finding a system at the ISP that already has sniffing software installed.

Using social engineering to gain physical access at an ISP to install a packet sniffer

Having an insider accomplice at the target computer organization or the ISP install the sniffer\

Redirecting communications to take a path that includes the intruder’s computer.

Since packet sniffing refers to the technique of monitoring each packet as it flows across the network,

it implies that a intruder can use this technique to automatic sift of clear-text passwords and

usernames from the network, in order to break into systems, or any other useful information such as

credit card numbers. From this moment, packet sniffing becomes a threat that has to be taken into

account.

8
 4.SNIFFING TOOLS

tcpdump: Tcpdump is a powerful tool that allows us to sniff network packets and make some

statistical analysis out of those dumps. One major drawback to tcpdump is the size of the flat file

containing the text output. But tcpdump allows us to precisely see all the traffic and enables us to

create statistical monitoring scripts.

sniffit: Robust packet sniffer with good filtering.

Ethereal: A free network protocol analyzer for UNIX and Windows. It allows you to examine data

from a live network or from a capture file on disk.

Hunt: The main goal of the HUNT project is to develop tools for exploiting wellknown weaknesses

in the TCP/IP protocol suite. [3]

Dsniff: Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf,

mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data

(passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network

traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm

implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by

exploiting weak bindings in ad-hoc PKI.

IP spoofing : When the sniffing program is on a segment between two communicating end points,

the intruder can impersonate one end in order to hijack the connection. This is often combined with a

denial of service (DoS) attack against the forged address so they don't interfere anymore

9
 5. SNIFFING METHODS

there are three types of sniffing methods. Some methods work in non-switched networks while others

work in switched networks. The sniffing methods are:

IP-based sniffing, MAC-based sniffing, and ARP-based sniffing.

5.1.1 IP-based sniffing This is the original way of packet sniffing. It works by putting the network

card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP

address filter isn’t set so it can capture all the packets. This method only works in nonswitched

networks.

5.1.2 MAC-based sniffing This method works by putting the network card into promiscuous mode

and sniffing all packets matching the MAC address filter.

5.1.3 ARP-based sniffing This method works a little different. It doesn’t put the network card into

promiscuous mode. This isn’t necessary because ARP packets will be sent to us. This happens

because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network.

To perform this kind of sniffing, you first have to poison the ARP cache1 of the two hosts that you

want to sniff, identifying yourself as the other host in the connection. Once the ARP caches are

poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other

host it gets sent to us. We then log the traffic and forward it to the real intended host on the other side

of the connection. This is called a man-in-the-middle attack. See Diagram 1 for a general idea of the

way it works.

10
Diagram 1: ARP sniffing method

11
5.2.METHODS TO DETECT PACKET SNIFFERS

ICMP echo response If we send an ICMP echo (or “ping”) request packet containing a correct IP

address and an incorrect MAC address to a normal networked machine, then we would expect to

receive no response. This is because the physical layer of the recipient checks for a packet with the

MAC address of either the local machine, or the broadcast Ethernet If the machine we are “pinging”

is running in promiscuous mode the packet should be replied to. This is because a promiscuous mode

device will accept all packets, and consequently the fake packet we have created will also be accepted.

When this packet is received, it is passed up through the layers, where the IP address would be

recognised as its own. Therefore, the intruder’s machine would respond to the “ping” request.

Fig: ICMP ECHO RESPONSE TES

12
Ping method, part2 :

The ping method can be enhanced in a number of ways. Any protocol that generates a response can

be used, such as a TCP connection request or a UDP protocol or any protocol that might generate an

error on the target machine might be used. For example, bad IP header values might be used to

generate an ICMP error. Moreover, sometimes a broadcast address needs to be used in order to

bypass software IP address filtering.

DNS Lookup Test : If we send a packet to a remote machine, it is possible that a sniffer is using

DNS in order to establish a machine name from the IP address of the packet. This would be desirable

in order to decide whether a machine was worth gaining access to. For example, an intruder is more

likely to attempt to gain access for “payroll.uwe.ac.uk” than to “joebloggs.uwe.ac.uk.” If this is the

case, then the IP address of any packet that is received by the intruder must be resolved via DNS to a

machine name. We can potentially use this to our advantage. If we send a packet to a fictitious host,

we can then see if there are any DNS requests for the fake IP address. If there are, we can see who

has sent the DNS request and find the IP and MAC address of the host, which has looked up the fake

address (i.e. the intruder.)

ARP METHOD: The ARP method is similar to the ping method, but an ARP packet is used instead.

The simplest ARP method transmits an ARP to a non-broadcast address. If a machine responds to

such an ARP of its IP address, then it must be in promiscuous mode.

The decoy method: The decoy method consists of setting up a connection between a client and a

virtual server. The client runs a script to logon to the server using a plain-text protocol, allowing any

eavesdropper to sift the usernames and the passwords from the wire. When the eavesdropper will

attempt to log on using this information, standard intrusion detection systems will alert the fact that a

sniffing intruder has found the traffic and attempted to use the information. The decoy method works
13
everywhere, unlike the ping and ARP methods, which only work on the local network.

Source-route method: This method functions by configuring the source-route information inside the

IP header. A ping packet is created, while a loose-source route is used to force it by another machine

on the same segment. This machine should have routing disabled, so that it will not forward it to the

target. If you get a response (from the networking code of the computer that runs the sniffer), then it

is likely the target sniffed the packet off the wire.

Time Domain Reflectometers (TDR): A Time Domain Reflectometer is basically radar for the wire.

It sends a pulse down the wire and graphs the reflections that come back. By looking at the graph of

the response an expert can figure out if any devices that should not be attached to the wire, are

attached. They also roughly tell where, in terms of distance along the wire, the tap is located

SNMP monitoring: Another way to figure out whether a hardware packet sniffer is attached to the

wires is by using smart hubs with SNMP management. Such hubs can provide automated monitoring

of Ethernet hubs. In other words a packet sniffer can be tracked down by configuring the system with

the information where all the cables terminate.

Antisniffer: In 1999, L0pht Heavy Industries released a product called Antisniff. AntiSniff is a

network security software program that attempts to scan one’s network and determine if a computer

is running in promiscuous mode, using some of the detection methods described above. AntiSniff,

which operates on both Windows NT and UNIX, is just a detection tool; it does not protect against

packet sniffers.

Fake user name & password login attempt test : We can create and known (fake) login sequence

to a host, containing a username and password with no credentials, but named something tempting

like “Admin” We can then check to see if a login attempt is made in future with that username and

password. If there is a login attempt using this username and password, then we know there is a
14
sniffer on the network “somewhere” (although the login attempt is highly unlikely to come from the

same machine that is sniffing.) This can be achieved with a combination of auditing and logging

techniques.

Unrecognized MAC address test : Many networks use standard machines in order to make

administration easier. This means that the Network Interface Cards (NIC’s) in the machines are likely

to be of the same manufacturer and type. As each manufacturer of NIC is allocated a specified range

of MAC addresses to use, each and every NIC is uniquely identifiable. So, the network cards in a set

of standard machines will be similar, and therefore the first two octets of the MAC address should

also be similar. Therefore, we can use pattern matching to scan the network for any unfamiliar MAC

addresses in order to ascertain if a machine has been brought in from outside.

15
ICMP Echo Latency Test: If we send a series of sensitive ICMP echo requests to every machine in

a given subnet, then we can find the average response time for each machine. This will be referred to

as the machines “ICMP echo response profile.” If we then flood the network with packets destined

for a fake IP address, we would expect that this would make little difference to the ICMP echo

response profile of each machine. This is because even though the network is running at a higher

usage level, normal networked machines will not be affected considerably as the network interface

and CPU load of the machine are not considerably affected by even a massive increase of network

traffic. This is in spite of the greater amount of collisions on the network. However, an interface

running in promiscuous mode will see a noticeable increase in the amount of packets that it will be

handling, as the fake packets are queued up on the network card awaiting processing. If, then we

perform the ICMP echo response profile again while the network is flooded, we would expect a

“normal” machine to show no significant increase in response time when comparing the two timings

taken. A machine running in promiscuous mode however may show a significant time delay in

responding to an ICMP echo request due to the quantity of packets queued on its Ethernet device. So,

if we gain a profile of each machine, and then compare it with a repeat of the profile taken when the

network is flooded, there should be no significant time difference for a legitimate machine. For a

sniffer however, we may see up to three to four times echo response time difference

16
 6. ANTI-SNIFF ASSUMPTIONS

We have made various assumptions when we developed our remote sniffer detector. These

assumptions limit the types of sniffers that we can detect. However, we feel that our assumptions

are valid and reasonable .One assumption we have made is that the sniffer is an actual sniffer

program running on a host .That is, we disallow the possibility that the sniffer is a dedicated device

that a hacker physically attaches to the network. This is a rather reasonable assumption since a lot

of break-ins are done remotely by hackers with no physical access to the network whatsoever.

Usually, a UNIX machine is broken in to , and the hacker logs on to the compromised machine and

installs a sniffer with root access.

Another assumption we have made is that the network segment that we are interested in, the

network segment which we wish to detect whether a sniffer is running or not, is an Ethernet

segment. Again, this is a reasonable assumption since a large percentage of the network segments

on the Internet are Ethernet .This leads us to mention that we also assume that TCP/IP is the

protocol that the network is using. Although some of our techniques can be modified to support

other networking protocols, the implementation is based on TCP/IP since it is, by far, the most

popular network protocol today.

17
 7.ANTI-SNIFF DETECTION METHODS

7.1 MAC DETECTION

The MAC detection technique for detecting sniffers running on a Ethernet segment requires that the

machine running the detector be on the same Ethernet segment as the host that is suspected of

running a sniffer. Thus, this technique allows remote detection of sniffers on the same Ethernet

segment, but not the remote detection of sniffers across different networks .The basic idea behind the

MAC detection technique is simple and has been discussed in the past

7.1.1 Ethernet Network Interface Cards:

A basic Ethernet network interface card has a unique medium access control (MAC) address assigned

to it by its manufacturer. Thus, all network interface cards (NIC) can be uniquely identified by its

MAC address. Since Ethernet is a shared medium network, all data packets are essentially

broadcasted. Since passing all packets broadcasted on the network to the operating system is

inefficient , Ethernet controller chips typically implement a filter which filters out any packet that

does not contain a target MAC address for the NIC .Since sniffers are interested in all traffic on the

Ethernet segment, NICs provide a promiscuous mode. In promiscuous mode, all Ethernet data

packets, regardless of the target MAC address, are passed to the operating system. Thus, when a

sniffer is running on a machine, the machine's NIC is set to promiscuous mode to capture all of the

Ethernet traffic . Figure2 shows the flow diagram of the Ethernet data packet path to the operating

system .

7.1.2 TCP/IP on Ethernet: The Ethernet protocol standard, IEEE 802.3, specifies the Ethernet

packet structure. Figure2 shows a IP packet encapsulated in a Ethernet packet. For TCP/IP, a normal

18
IP packet destined to a particular Ethernet host has the destination host's MAC address filled in the

Ethernet header and the IP address of the destination filled in the IP header. Thus, IP packets

transported by Ethernet have two addresses, both of which normally correspond to a machine's MAC

address and IP address

7.1.3 Implementation : The implementation of the MAC detection technique is quite simple. The

detection tool implements a ICMP Echo Request packet generator .The tool generates the full ICMP

packet as well as the outer Ethernet packet that encapsulates the ICMP packet. The Ethernet packet is

generate such that the target MAC address is different from the actual MAC address of the target

machine. So, for any suspected host on the Ethernet segment, the tool can generate the ICMP Echo

Request with incorrect MAC address and check if a ICMP Echo Reply is returned. If so, the

suspected host is in promiscuous mode. Thus, a sniffer could likely be running on that host. Figure 3

shows how the MAC detection technique works as implemented.

7.1.4 Results : The MAC detection technique works only against operating systems with a TCP/IP

protocol stack that does not have the check against correct MAC addresses. We were able to confirm

that Linux 2.0.35 was vulnerable to this kind of sniffer detection. We were able to detect when a

Linux machine went in to promiscuous mode with 100% accuracy. However, FreeBSD 2.2.7 was not
19
vulnerable to this kind of sniffer detection. The networking code in FreeBSD 2.2.7 correctly

implements the necessary check so that incorrectly addressed Ethernet packets never reach the ICMP

processing code.

Flow of Ethernet data packet with OS

20
 8.DNS DETECTOON

The DNS detection technique exploits a behavior common in all password sniffers to date. This

technique requires that the system administrator controls the Domain Name Server (DNS) [6]

8.1 Exploit Sniffer Behavior: The DNS detection technique works by exploiting a behavior common

to all password sniffers we have seen. The key observation is that all current password sniffers are not

truly passive. In fact, password sniffers do generate network traffic, although it is usually hard to

distinguish whether the generated network traffic was from the sniffer or not. It turns out that all

password sniffers we have come across do a reverse DNS lookup on the traffic that it sniffed. Since

this traffic is generated by the sniffer program, the trick is to detect this DNS lookup some how from

normal DNS lookup requests. It is not hard to come up with the following idea. We can generate fake

traffic to the Ethernet segment with a source address of some unused IP address that we provide the

DNS service for. Then, since the traffic we generate should normally be ignored by the hosts on the

segment, if a DNS lookup request is generated, we know that there is a sniffer on the Ethernet

segment.

8.2 Implementation: The implementation of the DNS detection technique is quite straight forward.

The tool that implement this technique runs on the machine that is registered to provide the reverse

DNS lookup for the trigger IP address, the invalid IP address that is used as the source address in the

fake traffic. The tool generates a fake FTP [PR85] connection with the source IP address set to the

trigger IP address. Then, the tool waits for a period of user definable time on the DNS service port.

Within this period of time, the tool counts the number of DNS requests for the trigger IP address.

When the time expires, the tool reports the number of DNS request counted. Note that the tool never

returns a DNS reply. This is to avoid having the DNS entry being cached in some intermediate DNS

21
server. The reason why DNS request needs to be counted is that the fake FTP traffic may actually be

destined for a real machine on the network that provides FTP service. If so, that machine may trigger

a DNS lookup. Thus, there are two cases we need to consider. If the fake FTP traffic ends up being

destined to a real machine on the network, then if we count two or more DNS lookups, a sniffer is

probably running on the network. Otherwise, if only one DNS lookup occurs, it is probably a

legitimate lookup being performed by the host. The other case is that the fake traffic ends up being

destined to no particular machine on the network. Then, if one or more DNS lookup occurs, there is

most likely a sniffer on the network.

8.3 Results : The DNS detection technique was able to detect sniffers running on a Ethernet segment

with 100% accuracy regardless of operating system type. The default behavior of esniff, linsniff,

sniffit and even tcpdump is to perform the reverse DNS lookup. Furthermore, it is possible to assign a

trigger IP address to each network segment to perform the DNS detection technique .This is useful

because even if the password sniffer does not perform a reverse DNS lookup, that is, the tool does not

detect a sniffer in the required timeout period, the hacker may sometime in the future perform a

reverse DNS lookup on the logged password entry. If so, then this technique can be extended to keep

track of which IP address is assigned to what network and report a DNS lookup whenever it sees it in

the future. request. Thus, the router will never generate the traffic on the network. However, this is

possible to do if the machine running the tool is on the same network, therefore it can generate the

fake traffic with invalid MAC addresses.

22
Diagram of DNS detection.

23
 9.CONCLUSION

When computers communicate over networks, they normally just listen to the traffic specifically for

them. However, network cards have the ability to enter promiscuous mode, which allows them to

listen to all network traffic regardless of if it’s directed to them. Packet sniffers can capture things

like clear-text passwords and usernames or other sensitive material. Because of this packet sniffers

are a serious matter for network security. Fortunately, not all sniffers are fully passive. Since they

aren’t tools like AntiSniff can detect them. Since sniffing is possible on non-switched and switched

networks, it’s a good practice to encrypt your data communications.

24
 REFERENCES

1.Vaidya, J. (2017). Packet sniffing techniques and tools. International Journal of Advanced Research

in Computer Science, 8(2), 182-185.

2.Stutzman, W. L. (2007). Wireshark & Ethereal network protocol analyzer toolkit. Elsevier.

3.Kottler, S. (2015). tcpdump tutorial and examples. Retrieved from

https://danielmiessler.com/study/tcpdump/

4.Microsoft. (n.d.). Microsoft Network Monitor. Retrieved from https://docs.microsoft.com/en-

us/windows-hardware/drivers/debugger/microsoft-network-monitor

5.Roesch, M. (1999). Snort: Lightweight intrusion detection for networks. Proceedings of the 13th

USENIX conference on System administration, 229-238.

6.Bishop, M. (2003). Computer security: art and science. Addison-Wesley.

7.Stallings, W. (2013). Cryptography and network security: principles and practice. Pearson

Education.

8.Zhang, Y., & Song, D. (2015). Network anomaly detection based on packet sniffing. Security and

Communication Networks, 8(1), 14-28.

9.Ristic, I. (2014). Bulletproof SSL and TLS: understanding and deploying SSL/TLS and PKI to

secure servers and web applications. Feisty Duck.

10.Shema, A., & Zohar, A. (2013). Defending against packet injection attacks in wireless networks.

IEEE Transactions on Mobile Computing, 12(7), 1415-1427.

25
26
27
28
29
30
31
32