Network monitoring or packet sniffing tools are like many other infosec tools. They can be used for good or evil, it all depends on the intent of the user. A packet sniffer can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic.
In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing ALL packets traversing the network regardless of destination.( Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter, and thus see everyones traffic.)
By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.
A packet sniffer can only capture packet information within a given subnet. Detecting rogue packet sniffers on your network is not an easy task. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers.
There are various categories of network monitoring tools:
1. Capture and analyze in detail all the packets on the wire or in the air.
(e.g., Wireshark(formerly called Ethereal) and 'Cain and Abel' ).
You can learn more about wireshark from http://wheelersoftware.com/articles/wireshark-tutorial.html
You can learn more about CAIN and ABEL from http://www.thehackerslibrary.com/?p=414
2. Show general characteristics of the network traffic (e.g., EtherApe or ntop).
3. Only show counts of packets to/from the host itself (e.g., iptraf).
I recommend you become familiar with network monitors or packet sniffers such as Wireshark. Learn what types of information can be discerned from the captured data and how you can put it to use to keep your network running smoothly. But, also be aware that users on your network may be running rogue packet sniffers, either experimenting out of curiosity or with malicious intent, and that you should do what you can to make sure this does not happen.
No comments:
Post a Comment