Wireshark Sniffer (formerly Ethereal)
Traffic analyzer, or sniffer (from English to sniff - sniff) - a program or device for intercepting and analyzing network traffic (yours and / or someone else's).
A sniffer can only analyze what passes through its network card. Inside one Ethernet segment, all packets are sent to all machines, because of this it is possible to intercept someone else's information. The use of switches (switch, switch-hub) and their competent configuration is already a protection against listening. Between segments, information is transmitted through switches. Packet switching is a form of transmission in which data divided into separate packets can be sent from a source point to a destination by different routes. So if someone in another segment sends any packets inside it, the switch will not send this data to your segment.
Traffic interception can be carried out:
- the usual “listening” of the network interface (the method is effective when hubs (hubs) are used instead of switches (switches) in the segment, otherwise the method is ineffective, since only separate frames fall on the sniffer);
- connecting a sniffer to a channel break;
- branching (software or hardware) traffic and sending it to the sniffer (Network tap);
- through the analysis of spurious electromagnetic radiation and the recovery of traffic thus listened to;
- via an attack on the link (2) (MAC-spoofing) or network (3) level (IP-spoofing), leading to redirecting the victim’s traffic or all the traffic of the segment to the sniffer and then returning traffic to the proper address.
The content of the article
Sniffers are programs that intercept all network traffic. Sniffers are useful for network diagnostics (for admins) and for intercepting passwords (understand for whom ). For example, if you got access to one network machine and installed a sniffer there, then soon all the passwords from their subnet will be yours. Sniffer put the network card in the listening mode (PROMISC). That is, they receive all the packets. In LAN, you can intercept all sent packets from all machines (if you are not separated by all hubs), since broadcasting is practiced there. Sniffer can intercept all packets (which is very inconvenient, the log file overflows terribly quickly, but for a more detailed analysis of the network it’s the most) or only the first bytes from ftp, telnet, pop3, etc. (this is the most fun, usually about the first 100 bytes contain the name and password ). Sniffer is now divorced ... There are a lot of sniffers under both Unix and Windows (even under DOS there are ). Sniffer can only support a specific axis (for example linux_sniffer.c, which supports Linux ), or several (for example, Sniffit, works with BSD, Linux, Solaris). Sniffer so bummed due to the fact that passwords are transmitted over the network in clear text. A lot of such services. These are telnet, ftp, pop3, www, etc. A lot of people use these services. . After the boom of sniffers, various encryption algorithms for these protocols began to appear. Appeared SSH (alternative to telnet that supports encryption), SSL (Secure Socket Layer is a Netscape development that can encrypt a www session). Appeared all sorts of Kerberous, VPN (Virtual Private Network). Some AntiSniffs, ifstats, etc. But this did not fundamentally change the situation. Services that use plain text password transmission are used in full. . Therefore, sniffing will be for a long time .
Windows sniffer implementation
CommView - www.tamos.com
Pretty advanced production sniffer TamoSoft. You can set your own rules for sniffing (for example, ignore ICMP, and TCP sniffing, as well as Internet protocols, there is support for Ethernet protocols, such as ARP, SNMP, NOVELL, etc.). For example, you can sniff only incoming packets, and ignore the rest. You can specify a log file for all packages with size limits in mega. It has two tools - Packet Generator and Vendor Indentifier NIC. You can see all the details of the sent / received packets (for example, in the TCP packet you can view the Source Port, Destination Port, Data length, Checksum, Sequence, Window, Ack, Flags, Urgent). The good news is that it automatically installs the CAPTURE driver. In general, the tool is very useful for sniffing, I recommend it to everyone.
SpyNet - packetstorm.securify.com
Quite a famous sniffer production Laurentiu Nicula 2000 . Common features are packet capture / decoding. Although the decoding is developed cool (for example, it is possible to recreate the pages that the user visited by the packages, for example!). In general, an amateur .
Analyzer - neworder.box.sk
Analyzer requires the installation of a special driver included in the package (packet.inf, packet.sys). You can see all the info about your network card. Analyzer also supports command line. It works great with local network. It has several utilities: ConvDump, GnuPlot, FlowsDet, Analisys Engine. Nothing outstanding.
IRIS - www.eeye.com
IRIS is a product of the well-known eEye company. Represents extensive filtering capabilities. I was very pleased with three chips:
Also available Packet Decoder. It supports the advanced logging system. And the available filtering capabilities surpass all review sniffers. This is a Hardware Filter, which can catch either all packages (Promiscious), or with various restrictions (for example, capture only multicast packets or broadcast packets, or only Mac frames). You can filter by specific MAC / IP addresses, by ports, by packets containing certain characters. In general, a good sniff. Requires 50comupd.dll.
WinDUMP Analog TCPdump for Unix. This sniffak works through the command line and presents minimal configuration options and still requires the WinPcap library. I do not really ...
Also requires WinPcap. Work only as a command line, and online. With complex options. I do not really.
The usual batch sniffer created by the famous CDC group (Cult of the Dead Cow). Its trick is that it can be used as a plugin for BO (Very useful ). Work from the command line.
There are many more sniffers, such as NatasX, NetXRay, CooperSniffer, LanExplorer, Net Analyzer, etc. Come on ...
All sniffers of this review can be found at packetstorm.securify.com .
This is a simple sniffer for intercepting usernames / passwords. Standard compilation (gcc -o linsniffer linsniffer.c).
Logs are written in tcp.log.
Linux_sniffer is required when you want to explore the network in detail. Standard compilation. Gives any shnyaga in addition, such as isn, ack, syn, echo_request (ping), etc.
Sniffit is an advanced model of a sniffer written by Brecht Claerhout. Install (libcap needed): #. / Configure
Now run the sniffer:
#. / sniffit
usage: ./sniffit [-xdabvnN] [-P proto] [-A char] [-p port] [(-r | -R) recordfile]
[-l sniflen] [-L logparam] [-F snifdevice] [-M plugin]
[-D tty] (-t <Target IP> | -s <Source IP>) | (-i | -I) | -c <config file>]
0 - Dummy Plugin
1 - DNS Plugin
As you can see, sniffit supports many options. You can use sniffak interactively. Sniffing is a pretty useful program, but I don’t use it. Why? Because Sniffit has a big defense problem. For Sniffit there is already a remout root and dos for Linux and Debian! Not every sniffer itself allows it .
This is my favorite sniffak. It is very easy to use, supports many cool chips and at the moment has no security problems. Plus, it is not particularly demanding of libraries (such as linsniffer and Linux_sniffer). It can intercept current connections in real time and under a clean dump from a remote terminal. In general, Hijack rulezzz . I recommend to everyone for enhanced use. . Install:
#hunt -i [interface]
READSMB sniffer cut from LophtCrack and ported to Unix (oddly enough ). Readsmb intercepts SMB packets.
tcpdump is a fairly well-known packet sniffer. Written by an even more famous brow - Van Jacobson, who invented VJ compression for PPP and wrote a traceroute program (and who knows what else?). Requires libpcap library.
#. / configure
Now run it:
tcpdump: listening on ppp0
All your connections are output to the terminal. Here is an example of ping output
02:03:08.918959 184.108.40.206.1039 > 220.127.116.11.domain: 60946+ A?
02:03:09.456780 18.104.22.168.domain > 22.214.171.124.1039: 60946* 1/3/3 (165)
02:03:09.459421 126.96.36.199 > 188.8.131.52: icmp: echo request
02:03:09.996780 184.108.40.206 > 220.127.116.11: icmp: echo reply
02:03:10.456864 18.104.22.168 > 22.214.171.124: icmp: echo request
02:03:10.906779 126.96.36.199 > 188.8.131.52: icmp: echo reply
02:03:11.456846 184.108.40.206 > 220.127.116.11: icmp: echo request
02:03:11.966786 18.104.22.168 > 22.214.171.124: icmp: echo reply
In general, a sniff is useful for debugging networks, finding faults, etc.
Dsniff requires libpcap, ibnet, libnids and OpenSSH. Records only the entered commands, which is very convenient. Here is an example of a connection log on unix-shells.com:
02/18/01 03:58:04 tcp my.ip.1501 -> handi4-145-253-158-170.arcor-ip.net.23
Here dsniff intercepted login with password (stalsen / asdqwe123). Install:
#. / configure
Protection against sniffers
The surest way to protect against sniffers is to use ENCRYPTION (SSH, Kerberous, VPN, S / Key, S / MIME, SHTTP, SSL, etc.). Well, if you don’t want to give up plain text of services and install additional packages ? Then it's time to use anti-sniffing packages ...
AntiSniff for Windows
This product is released by the famous group Lopht. It was the first product of its kind. AntiSniff, as stated in the description:
"AntiSniff is a Graphical User Interface (GUI) driven tool for detecting promiscuous network interface cards (NICs) on your local network segment." In general, it catches cards in promisc mode. It supports a huge number of tests (DNS test, ARP test, Ping Test , ICMP Time Delta Test, Echo Test, PingDrop test). You can scan both one machine and grid. There is log support here. AntiSniff works on win95 / 98 / NT / 2000, although the recommended NT platform. But its reign was short and soon a sniffer called AntiAntiSniffer appeared written by Mike Perry (you can find it at www.void.ru/news/9908/snoof.txt ). It is based on LinSniffer (discussed below).
Unix sniffer detect:
Sniffer can be detected with the command:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:2373 errors:0 dropped:0 overruns:0 frame:0
TX packets:2373 errors:0 dropped:0 overruns:0 carrier:0
ppp0 Link encap:Point-to-Point Protocol
inet addr:195.170.yx PtP:195.170.yx Mask:255.255.255.255
UP POINTOPOINT PROMISC RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3281 errors:74 dropped:0 overruns:0 frame:74
TX packets:3398 errors:0 dropped:0 overruns:0 carrier:0
As you can see, the ppp0 interface is in PROMISC mode. Either the operator has downloaded the sniff to check the network, or you already have ... But remember that ifconfig can be easily changed, so use tripwire to detect changes and all sorts of programs to check for sniffs.
AntiSniff for Unix.
Works on BSD, Solaris and Linux. Supports ping / icmp time test, arp test, echo test, dns test, etherping test, in general, AntiSniff analog for Win, only for Unix . Install:
Also a useful program for catching sniffer. Supports many tests. Easy to use. Install: #make
#. / sentinel
./sentinel [method] [-t <target ip>] [options]
[-a ARP test]
[-d DNS test]
[-i ICMP Ping Latency test]
[-e ICMP Etherping test]
[-f <non-existant host>]
[-v Show version and exit]
[-n <number of packets / seconds>]
The options are so simple that no comments.
Here are some more utilities for checking your network (for Unix):
packetstorm.securify.com/UNIX/IDS/scanpromisc.c - PROMISC mode ethernet detector for ethernet cards (for red hat 5.x).
http://packetstorm.securify.com/UNIX/IDS/neped.c - Network Promiscuous Ethernet Detector (need libcap & Glibc).
http://packetstorm.securify.com/Exploit_Code_Archive/promisc.c — scans system devices for sniff detection.
http://packetstorm.securify.com/UNIX/IDS/ifstatus2.2.tar.gz - ifstatus tests network interfaces in PROMISC mode.