A packet sniffer intercepts network traffic by capturing packets of data. It can be used for troubleshooting or malicious purposes. Encryption is the best defense against eavesdropping. ARP poisoning and MAC flooding can hack switched Ethernet networks, but generate detectable traffic signatures.
A packet sniffer is a device or program that allows the user to intercept traffic traveling between computers on a network. The program will capture data routed to other machines, saving it for later analysis.
All information traveling across a network is sent in “packets”. For example, when an email is sent from one computer to another, it is first broken up into smaller segments. Each segment has the attached destination address, source address, and other information such as number of packets and order of reassembly. Once they arrive at their destination, the headers and footers of the package are removed and the packages are reconstituted.
In the simplest network example where computers share an Ethernet cable, all packets traveling between computers are “seen” by every computer on the network. A hub broadcasts every packet to every machine or node on the network, then a filter in each computer drops packets not addressed to it. A packet sniffer disables this filter to capture and analyze some or all packets traveling over the Ethernet cable, depending on the sniffer’s configuration. This is referred to as “promiscuous mode”. As a result, if Ms. Wise on computer A sends an email to Mr. Geek on computer B, the software installed on computer D could passively capture their communication packets without either Ms. Wise or Mr. Geek knowing . This type of sniffing is very difficult to detect because it generates no traffic of its own.
A slightly more secure environment is a switched Ethernet network. Rather than a central hub that broadcasts all traffic on the network to all machines, the switch acts like a central switchboard: it receives packets directly from the originating computer and sends them directly to the machine they are addressed to. In this scenario, if computer A sends an e-mail message to computer B and computer D is in promiscuous mode, it still won’t see the packets. Some people incorrectly assume that a packet sniffer cannot be used on a switched network.
However, there are ways to hack the switch protocol. A procedure called ARP poisoning basically tricks the switch into replacing the machine with the sniffer for the target machine. After capturing the data, the packets can be sent to their real destination. The other technique is to flood the switch with MAC (network) addresses so that the switch defaults to failopen mode. In this mode it starts acting like a hub, broadcasting all packets to all machines to make sure traffic gets through. Both ARP poisoning and MAC flooding generate traffic signatures that can be detected with the right software.
These programs can also be used over the Internet to capture data that travels between computers. Internet packets often have very long distances to travel, passing through several routers that act as intermediate post offices. A sniffer could be installed at any point along the way, and it could also be clandestinely installed on a server that acts as a gateway or collects vital personal information.
A packet sniffer isn’t just a hacker’s tool. It can be used for network troubleshooting and other useful purposes. In the wrong hands however, this software can acquire sensitive personal information which can lead to invasion of privacy, identity theft and other serious problems.
The best defense against eavesdropping is a good crime: encryption. When strong encryption is used, all packets are unreadable at any address except the destination address. Other programs can still capture packets, but the contents will be indecipherable. This illustrates why it is so important to use secure sites to send and receive personal information, such as your name, address, password, and certainly any credit card information or other sensitive data. A website that uses encryption starts with https, and email can be made secure by encrypting with a program, some of which come with plug-ins for major email programs.
Protect your devices with Threat Protection by NordVPN
