Professional Documents
Culture Documents
Packet Sniffing 1906 Final
Packet Sniffing 1906 Final
On
PACKET SNIFFING
Submitted in Partial fulfillment of the requirement for the award of the degree in
Bachelor of Technology in
Department of Electronics and Computer Engineering
SUBMITTED
By
CHINTHAKINDI SOMESH - 19671A1906
R.R.(Dist)- 500075
2019-2023
J.B. INSTITUTE OF ENGINEERING &TECHNOLOGY
(UGC Autonomous & Accredited by NBA & NAAC, Approved by Affiliated to JNTU,
HYDERABAD)
CERTIFICATE
This is to certify that the Technical Seminar Report on “PACKET SNIFFING” is work done by
CHINTHAKINDI SOMESH, 19671A1906, in partial fulfillment of the requirementof the award
for the degree of Bachelor of Technology in “Electronics and Computers Engineering“, during the
academic year 2022-2023.
I profoundly thank all my faculty members for their dynamic invaluable technical guidance and
constant encouragement without which the technical report would not have been possible. I proudly
thank Dr.Narsappa Reddy, HOD of ECM Department, for this support and co-operation for the
completion of this report.
CHINTHAKINDI SOMESH
19671A1906
3
ABSTRACT
A packet sniffer, the network analyzer, is a wire-tap device that plugs into computer networks and
eavesdrops on the network traffic. To capture the information going over the network is called
sniffing. It is a "sniffing" program that lets someone listen in on computer conversations. However,
computer conversations consist of apparently random binary data. Therefore, network wiretap
programs also come with a feature known as "protocol analysis", which allow them to "decode" the
computer traffic and make sense of it. These tools known as network sniffers are named after a
product called the Sniffer Network Analyzer. Introduced in 1988 by Network General Corp. (now
Network Associates Inc.), the Sniffer was one of the first devices that let managers sit at their desks
and take the pulse of the larger network. The original sniffers read the message headers of data
packets on the network, giving administrators details about the addresses of senders and receivers,
file sizes and other low-level information about those packets, in addition to verifying transmission.
Using graphs and text-based descriptions, sniffers helped network managers evaluate and diagnose
performance problems with servers, the network wire, hubs and applications.
Packet sniffing is a powerful technique used for capturing, analyzing, and monitoring network traffic.
It involves capturing data packets as they travel across a network, and then examining their contents
to gain insight into the nature of the traffic. Packet sniffing has numerous applications, including
network troubleshooting, security monitoring, and performance analysis. However, packet sniffing
can also be used for malicious purposes, such as stealing sensitive information or conducting denial-
of-service attacks.
4
1. INTRODUCTION
Packet sniffing is a technique of monitoring every packet that crosses the network. A packet sniffer
is a piece of software or hardware that monitors all network traffic. This is unlike standard network
hosts that only receive traffic sent specifically to them. The security threat presented by sniffers is
their ability to capture all incoming and outgoing traffic, including clear-text passwords and user
names or other sensitive material. In theory, it’s impossible to detect these sniffing tools because they
are passive in nature, meaning that they only collect data. While they can be fully passive, some
aren’t therefore they can be detected. This paper discusses the different packet sniffing methods and
explains how Anti-Sniff tries to detect these sniffing programs In this report, we will explore the
technical aspects of packet sniffing, including its methodology, tools, and potential security risks. We
will also discuss how packet sniffing can be used for performance analysis, and examine the legal and
5
2.WORKING OF PACKET SNIFFER
A packet sniffer works by looking at every packet sent in the network, including packets not intended
for itself. This is accomplished in a variety of ways. These sniffing methods will be described below.
Sniffers also work differently depending on the type of network they are in Shared Ethernet: In a
shared Ethernet environment, all hosts are connected to the same bus and compete with one another
for bandwidth. In such an environment packets meant for one machine are received by all the other
machines. Thus, any machine in such an environment placed in promiscuous mode will be able to
capture packets meant for other machines and can therefore listen to all the traffic on the network.
Switched Ethernet: An Ethernet environment in which the hosts are connected to a switch instead of a
hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's
MAC address and delivers packets destined for a particular machine to the port on which that
machine is connected. The switch is an intelligent device that sends packets to the destined computer
only and does not broadcast to all the machines on the network, as in the previous case. This switched
Ethernet environment was intended for better network performance, but as an added benefit, a
machine in promiscuous mode will not work here. As a result of this, most network administrators
6
3.USES OF PACKET SNIFFERS
2) Underground packet sniffers are used by attackers to gain unauthorized access to remote hosts.
• Network intrusion detection to monitor for attackers. Using a sniffer in an illegitimate way is
considered a passive attack. It does not directly interface or connect to any other systems on the
network. However, the computer that the sniffer is installed on could have been compromised using
an active attack. The passive nature of sniffers is what makes detecting them so difficult. The
following list describes a few reasons why intruders are using sniffers on the network:
Mapping a network
Passive OS fingerprinting
Obviously, these are illegal uses of a sniffer, unless you are a penetration tester whose job it is to find
these types of weaknesses and report them to an organization. For sniffing to occur, an intruder must
first gain access to the communication cable of the systems that are of interest. This means being on
the same shared network segment, or tapping into the cable somewhere between the paths of
7
communications. If the intruder is not physically present at the target system or communications
access point, there are still ways to sniff network traffic. These include:
Breaking into a target computer and installing remotely controlled sniffing software.
Breaking into a communications access point, such as an Internet Service Provider (ISP) and
Locating/finding a system at the ISP that already has sniffing software installed.
Using social engineering to gain physical access at an ISP to install a packet sniffer
Having an insider accomplice at the target computer organization or the ISP install the sniffer\
Since packet sniffing refers to the technique of monitoring each packet as it flows across the network,
it implies that a intruder can use this technique to automatic sift of clear-text passwords and
usernames from the network, in order to break into systems, or any other useful information such as
credit card numbers. From this moment, packet sniffing becomes a threat that has to be taken into
account.
8
4.SNIFFING TOOLS
tcpdump: Tcpdump is a powerful tool that allows us to sniff network packets and make some
statistical analysis out of those dumps. One major drawback to tcpdump is the size of the flat file
containing the text output. But tcpdump allows us to precisely see all the traffic and enables us to
Ethereal: A free network protocol analyzer for UNIX and Windows. It allows you to examine data
Hunt: The main goal of the HUNT project is to develop tools for exploiting wellknown weaknesses
Dsniff: Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf,
mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data
(passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network
traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm
implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by
IP spoofing : When the sniffing program is on a segment between two communicating end points,
the intruder can impersonate one end in order to hijack the connection. This is often combined with a
denial of service (DoS) attack against the forged address so they don't interfere anymore
9
5. SNIFFING METHODS
there are three types of sniffing methods. Some methods work in non-switched networks while others
5.1.1 IP-based sniffing This is the original way of packet sniffing. It works by putting the network
card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP
address filter isn’t set so it can capture all the packets. This method only works in nonswitched
networks.
5.1.2 MAC-based sniffing This method works by putting the network card into promiscuous mode
5.1.3 ARP-based sniffing This method works a little different. It doesn’t put the network card into
promiscuous mode. This isn’t necessary because ARP packets will be sent to us. This happens
because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network.
To perform this kind of sniffing, you first have to poison the ARP cache1 of the two hosts that you
want to sniff, identifying yourself as the other host in the connection. Once the ARP caches are
poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other
host it gets sent to us. We then log the traffic and forward it to the real intended host on the other side
of the connection. This is called a man-in-the-middle attack. See Diagram 1 for a general idea of the
way it works.
10
Diagram 1: ARP sniffing method
11
5.2.METHODS TO DETECT PACKET SNIFFERS
ICMP echo response If we send an ICMP echo (or “ping”) request packet containing a correct IP
address and an incorrect MAC address to a normal networked machine, then we would expect to
receive no response. This is because the physical layer of the recipient checks for a packet with the
MAC address of either the local machine, or the broadcast Ethernet If the machine we are “pinging”
is running in promiscuous mode the packet should be replied to. This is because a promiscuous mode
device will accept all packets, and consequently the fake packet we have created will also be accepted.
When this packet is received, it is passed up through the layers, where the IP address would be
recognised as its own. Therefore, the intruder’s machine would respond to the “ping” request.
The ping method can be enhanced in a number of ways. Any protocol that generates a response can
be used, such as a TCP connection request or a UDP protocol or any protocol that might generate an
error on the target machine might be used. For example, bad IP header values might be used to
generate an ICMP error. Moreover, sometimes a broadcast address needs to be used in order to
DNS Lookup Test : If we send a packet to a remote machine, it is possible that a sniffer is using
DNS in order to establish a machine name from the IP address of the packet. This would be desirable
in order to decide whether a machine was worth gaining access to. For example, an intruder is more
likely to attempt to gain access for “payroll.uwe.ac.uk” than to “joebloggs.uwe.ac.uk.” If this is the
case, then the IP address of any packet that is received by the intruder must be resolved via DNS to a
machine name. We can potentially use this to our advantage. If we send a packet to a fictitious host,
we can then see if there are any DNS requests for the fake IP address. If there are, we can see who
has sent the DNS request and find the IP and MAC address of the host, which has looked up the fake
ARP METHOD: The ARP method is similar to the ping method, but an ARP packet is used instead.
The simplest ARP method transmits an ARP to a non-broadcast address. If a machine responds to
The decoy method: The decoy method consists of setting up a connection between a client and a
virtual server. The client runs a script to logon to the server using a plain-text protocol, allowing any
eavesdropper to sift the usernames and the passwords from the wire. When the eavesdropper will
attempt to log on using this information, standard intrusion detection systems will alert the fact that a
sniffing intruder has found the traffic and attempted to use the information. The decoy method works
13
everywhere, unlike the ping and ARP methods, which only work on the local network.
Source-route method: This method functions by configuring the source-route information inside the
IP header. A ping packet is created, while a loose-source route is used to force it by another machine
on the same segment. This machine should have routing disabled, so that it will not forward it to the
target. If you get a response (from the networking code of the computer that runs the sniffer), then it
Time Domain Reflectometers (TDR): A Time Domain Reflectometer is basically radar for the wire.
It sends a pulse down the wire and graphs the reflections that come back. By looking at the graph of
the response an expert can figure out if any devices that should not be attached to the wire, are
attached. They also roughly tell where, in terms of distance along the wire, the tap is located
SNMP monitoring: Another way to figure out whether a hardware packet sniffer is attached to the
wires is by using smart hubs with SNMP management. Such hubs can provide automated monitoring
of Ethernet hubs. In other words a packet sniffer can be tracked down by configuring the system with
Antisniffer: In 1999, L0pht Heavy Industries released a product called Antisniff. AntiSniff is a
network security software program that attempts to scan one’s network and determine if a computer
is running in promiscuous mode, using some of the detection methods described above. AntiSniff,
which operates on both Windows NT and UNIX, is just a detection tool; it does not protect against
packet sniffers.
Fake user name & password login attempt test : We can create and known (fake) login sequence
to a host, containing a username and password with no credentials, but named something tempting
like “Admin” We can then check to see if a login attempt is made in future with that username and
password. If there is a login attempt using this username and password, then we know there is a
14
sniffer on the network “somewhere” (although the login attempt is highly unlikely to come from the
same machine that is sniffing.) This can be achieved with a combination of auditing and logging
techniques.
Unrecognized MAC address test : Many networks use standard machines in order to make
administration easier. This means that the Network Interface Cards (NIC’s) in the machines are likely
to be of the same manufacturer and type. As each manufacturer of NIC is allocated a specified range
of MAC addresses to use, each and every NIC is uniquely identifiable. So, the network cards in a set
of standard machines will be similar, and therefore the first two octets of the MAC address should
also be similar. Therefore, we can use pattern matching to scan the network for any unfamiliar MAC
15
ICMP Echo Latency Test: If we send a series of sensitive ICMP echo requests to every machine in
a given subnet, then we can find the average response time for each machine. This will be referred to
as the machines “ICMP echo response profile.” If we then flood the network with packets destined
for a fake IP address, we would expect that this would make little difference to the ICMP echo
response profile of each machine. This is because even though the network is running at a higher
usage level, normal networked machines will not be affected considerably as the network interface
and CPU load of the machine are not considerably affected by even a massive increase of network
traffic. This is in spite of the greater amount of collisions on the network. However, an interface
running in promiscuous mode will see a noticeable increase in the amount of packets that it will be
handling, as the fake packets are queued up on the network card awaiting processing. If, then we
perform the ICMP echo response profile again while the network is flooded, we would expect a
“normal” machine to show no significant increase in response time when comparing the two timings
taken. A machine running in promiscuous mode however may show a significant time delay in
responding to an ICMP echo request due to the quantity of packets queued on its Ethernet device. So,
if we gain a profile of each machine, and then compare it with a repeat of the profile taken when the
network is flooded, there should be no significant time difference for a legitimate machine. For a
sniffer however, we may see up to three to four times echo response time difference
16
6. ANTI-SNIFF ASSUMPTIONS
We have made various assumptions when we developed our remote sniffer detector. These
assumptions limit the types of sniffers that we can detect. However, we feel that our assumptions
are valid and reasonable .One assumption we have made is that the sniffer is an actual sniffer
program running on a host .That is, we disallow the possibility that the sniffer is a dedicated device
that a hacker physically attaches to the network. This is a rather reasonable assumption since a lot
of break-ins are done remotely by hackers with no physical access to the network whatsoever.
Usually, a UNIX machine is broken in to , and the hacker logs on to the compromised machine and
Another assumption we have made is that the network segment that we are interested in, the
network segment which we wish to detect whether a sniffer is running or not, is an Ethernet
segment. Again, this is a reasonable assumption since a large percentage of the network segments
on the Internet are Ethernet .This leads us to mention that we also assume that TCP/IP is the
protocol that the network is using. Although some of our techniques can be modified to support
other networking protocols, the implementation is based on TCP/IP since it is, by far, the most
17
7.ANTI-SNIFF DETECTION METHODS
The MAC detection technique for detecting sniffers running on a Ethernet segment requires that the
machine running the detector be on the same Ethernet segment as the host that is suspected of
running a sniffer. Thus, this technique allows remote detection of sniffers on the same Ethernet
segment, but not the remote detection of sniffers across different networks .The basic idea behind the
MAC detection technique is simple and has been discussed in the past
A basic Ethernet network interface card has a unique medium access control (MAC) address assigned
to it by its manufacturer. Thus, all network interface cards (NIC) can be uniquely identified by its
MAC address. Since Ethernet is a shared medium network, all data packets are essentially
broadcasted. Since passing all packets broadcasted on the network to the operating system is
inefficient , Ethernet controller chips typically implement a filter which filters out any packet that
does not contain a target MAC address for the NIC .Since sniffers are interested in all traffic on the
Ethernet segment, NICs provide a promiscuous mode. In promiscuous mode, all Ethernet data
packets, regardless of the target MAC address, are passed to the operating system. Thus, when a
sniffer is running on a machine, the machine's NIC is set to promiscuous mode to capture all of the
Ethernet traffic . Figure2 shows the flow diagram of the Ethernet data packet path to the operating
system .
7.1.2 TCP/IP on Ethernet: The Ethernet protocol standard, IEEE 802.3, specifies the Ethernet
packet structure. Figure2 shows a IP packet encapsulated in a Ethernet packet. For TCP/IP, a normal
18
IP packet destined to a particular Ethernet host has the destination host's MAC address filled in the
Ethernet header and the IP address of the destination filled in the IP header. Thus, IP packets
transported by Ethernet have two addresses, both of which normally correspond to a machine's MAC
7.1.3 Implementation : The implementation of the MAC detection technique is quite simple. The
detection tool implements a ICMP Echo Request packet generator .The tool generates the full ICMP
packet as well as the outer Ethernet packet that encapsulates the ICMP packet. The Ethernet packet is
generate such that the target MAC address is different from the actual MAC address of the target
machine. So, for any suspected host on the Ethernet segment, the tool can generate the ICMP Echo
Request with incorrect MAC address and check if a ICMP Echo Reply is returned. If so, the
suspected host is in promiscuous mode. Thus, a sniffer could likely be running on that host. Figure 3
7.1.4 Results : The MAC detection technique works only against operating systems with a TCP/IP
protocol stack that does not have the check against correct MAC addresses. We were able to confirm
that Linux 2.0.35 was vulnerable to this kind of sniffer detection. We were able to detect when a
Linux machine went in to promiscuous mode with 100% accuracy. However, FreeBSD 2.2.7 was not
19
vulnerable to this kind of sniffer detection. The networking code in FreeBSD 2.2.7 correctly
implements the necessary check so that incorrectly addressed Ethernet packets never reach the ICMP
processing code.
20
8.DNS DETECTOON
The DNS detection technique exploits a behavior common in all password sniffers to date. This
technique requires that the system administrator controls the Domain Name Server (DNS) [6]
8.1 Exploit Sniffer Behavior: The DNS detection technique works by exploiting a behavior common
to all password sniffers we have seen. The key observation is that all current password sniffers are not
truly passive. In fact, password sniffers do generate network traffic, although it is usually hard to
distinguish whether the generated network traffic was from the sniffer or not. It turns out that all
password sniffers we have come across do a reverse DNS lookup on the traffic that it sniffed. Since
this traffic is generated by the sniffer program, the trick is to detect this DNS lookup some how from
normal DNS lookup requests. It is not hard to come up with the following idea. We can generate fake
traffic to the Ethernet segment with a source address of some unused IP address that we provide the
DNS service for. Then, since the traffic we generate should normally be ignored by the hosts on the
segment, if a DNS lookup request is generated, we know that there is a sniffer on the Ethernet
segment.
8.2 Implementation: The implementation of the DNS detection technique is quite straight forward.
The tool that implement this technique runs on the machine that is registered to provide the reverse
DNS lookup for the trigger IP address, the invalid IP address that is used as the source address in the
fake traffic. The tool generates a fake FTP [PR85] connection with the source IP address set to the
trigger IP address. Then, the tool waits for a period of user definable time on the DNS service port.
Within this period of time, the tool counts the number of DNS requests for the trigger IP address.
When the time expires, the tool reports the number of DNS request counted. Note that the tool never
returns a DNS reply. This is to avoid having the DNS entry being cached in some intermediate DNS
21
server. The reason why DNS request needs to be counted is that the fake FTP traffic may actually be
destined for a real machine on the network that provides FTP service. If so, that machine may trigger
a DNS lookup. Thus, there are two cases we need to consider. If the fake FTP traffic ends up being
destined to a real machine on the network, then if we count two or more DNS lookups, a sniffer is
probably running on the network. Otherwise, if only one DNS lookup occurs, it is probably a
legitimate lookup being performed by the host. The other case is that the fake traffic ends up being
destined to no particular machine on the network. Then, if one or more DNS lookup occurs, there is
8.3 Results : The DNS detection technique was able to detect sniffers running on a Ethernet segment
with 100% accuracy regardless of operating system type. The default behavior of esniff, linsniff,
sniffit and even tcpdump is to perform the reverse DNS lookup. Furthermore, it is possible to assign a
trigger IP address to each network segment to perform the DNS detection technique .This is useful
because even if the password sniffer does not perform a reverse DNS lookup, that is, the tool does not
detect a sniffer in the required timeout period, the hacker may sometime in the future perform a
reverse DNS lookup on the logged password entry. If so, then this technique can be extended to keep
track of which IP address is assigned to what network and report a DNS lookup whenever it sees it in
the future. request. Thus, the router will never generate the traffic on the network. However, this is
possible to do if the machine running the tool is on the same network, therefore it can generate the
22
Diagram of DNS detection.
23
9.CONCLUSION
When computers communicate over networks, they normally just listen to the traffic specifically for
them. However, network cards have the ability to enter promiscuous mode, which allows them to
listen to all network traffic regardless of if it’s directed to them. Packet sniffers can capture things
like clear-text passwords and usernames or other sensitive material. Because of this packet sniffers
are a serious matter for network security. Fortunately, not all sniffers are fully passive. Since they
aren’t tools like AntiSniff can detect them. Since sniffing is possible on non-switched and switched
24
REFERENCES
1.Vaidya, J. (2017). Packet sniffing techniques and tools. International Journal of Advanced Research
2.Stutzman, W. L. (2007). Wireshark & Ethereal network protocol analyzer toolkit. Elsevier.
https://danielmiessler.com/study/tcpdump/
us/windows-hardware/drivers/debugger/microsoft-network-monitor
5.Roesch, M. (1999). Snort: Lightweight intrusion detection for networks. Proceedings of the 13th
7.Stallings, W. (2013). Cryptography and network security: principles and practice. Pearson
Education.
8.Zhang, Y., & Song, D. (2015). Network anomaly detection based on packet sniffing. Security and
9.Ristic, I. (2014). Bulletproof SSL and TLS: understanding and deploying SSL/TLS and PKI to
10.Shema, A., & Zohar, A. (2013). Defending against packet injection attacks in wireless networks.
25
26
27
28
29
30
31
32