Copyright 1998-2000 by Robert Graham (sniffing-faq@robertgraham.com. All rights reserved. This document may be only be reproduced (whole or in part) for non-commercial purposes. All reproductions must contain this copyright notice and must not be altered, except by permission of the author.

Official source of this document:
http://www.robertgraham.com/pubs/sniffing-faq.html (HTML)

Trevor Schroeder from http://www.zweknu.org
Lachlan M. D. Cranswick <l.cranswick at dl dot ac dot uk>

However, computer conversations consist of apparently random binary data. Therefore, network wiretap programs also come with a feature known as "protocol analysis", which allow them to "decode" the computer traffic and make sense of it.

Sniffing also has one advantage over telephone wiretaps: many networks use "shared media". This means that you don't need to break into a wiring closet to install your wiretap, you can do it from almost any network connection to eavesdrop on your neighbors. This is called a "promiscuous mode" sniffer. However, this "shared" technology is moving quickly toward "switched" technology where this will no longer be possible, which means you will have to actually tap into the wire.

1.1.1 Is "packet sniffer" trademarked?

The word "sniffer" is a registered trademark by Network Associates referring to the "Sniffer(r) Network Analyzer". However, the term "snif" is used in many other products (some of which are listed in this document) and the term "sniffer" is more popular in everyday usage than alternatives like "protocol analyzer" or "network analyzer" (as far as my search on AltaVista reveals). I'm not sure what this means in trademark law, where brandnames like "aspirin", "escalator", and "cellophane" lose their distinctiveness over time.

Typical uses of such wiretap programs include:

• Automatic sifting of clear-text passwords and usernames from the network. Used hackers/crackers in order to break into systems.
• Conversion of data to human readable format so that people can read the traffic
• Fault analysis to discover problems in the network, such as why computer A can't talk to computer B
• Performance analysis to discover network bottlenecks
• Network intrusion detection in order to discover hackers/crackers (see http://www.robertgraham.com/pubs/network-intrusion-detection.html
• Network traffic logging, to create logs that hackers can't break into and erase.

Think of it this: you have two machines in your own office talking to each other, and both are on the Internet. They take a direct route of communication, and the traffic never goes across the outside public portion of the Internet. Any communication anywhere in the net follows a similar "least-cost-path" principle.

1.4.1 How does it eavesdrop on network traffic?

Ethernet was built around a "shared" principle: all machines on a local network share the same wire.

This implies that all machines are able to "see" all the traffic on the same wire.

Thus, Ethernet hardware is built with a "filter" that ignores all traffic that doesn't belong to it. It does this by ignoring all frames whose MAC address doesn't match.

A wiretap program turns off this filter, puttin the Ethernet hardware into "promiscuous mode". Thus, Mark can see all the traffic between Alice and Bob, as long as they are on the same Ethernet wire.

1.4.2 What are the components of a packet sniffer?

The hardware

Most products work from standard network adapters, though some require special hardware. If you use special hardware, you can analyze hardware faults like CRC errors, voltage problems, cable programs, "dribbles", "jitter", negotiation errors, and so forth.

Capture driver

This is the most important part. It captures the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer.

Buffer

Once they frames are captured from the network, they are stored in a buffer. There are a couple captures modes: capture until the buffer fills up, or use the buffer as a "round robin" where the newest data replaces the oldest data. Some products (like the BlackICE Sentry IDS from Network ICE can maintain a full round-robin capture buffer on disk at full 100-mbps speeds. This allows have hundreds of gigabytes of buffer rather than the meager 1-gigabyte you're likely to have in a memory-based buffer.

Real-time analysis

Pioneered by the Network General Sniffer, this feature does some minor bit of analysis of the frames as they come off the wire. This is able to find network performance issues and faults while capturing. Many vendors have started to add minimal capabilities along this line to their products. Network intrusion detection systems do this, but they sift the traffic for signs of hacker activity rather than fault/performance issues.

Decode

As discussed in section 5, this displays the contents of network traffic with descriptive text so that an analysist can figure out what is going on.

Packet editing/transmission

Some products contain features that allow you to edit your own network packets and transmit them onto the network.

This is accomplished by putting a unique 12-digit hex number in every piece of Ethernet hardware. Section 1.5.4 explains how to discover the Ethernet MAC address of your own machine.

To really understand why this is so important, you might want to review the information in section 5.4 below. Ethernet was designed to carry other traffic than just TCP/IP, and TCP/IP was designed to run over other wires (such as dial-up lines, which use no Ethernet). For example, many home users install "NetBEUI" for File and Print Sharing because it is unrelated to TCP/IP, and therefore hackers from across the Internet can't get at their hard-drives.

Raw transmission and reception on Ethernet is governed by the Ethernet equipment. You just can't send data raw over the wire, you must first do something to it that Ethernet understands. In much the same way, you can't stick a letter in a mailbox, you must first wrap it in an envelope with an address and stamp.

Following a is a brief explanation how this works:

                    _________      
                   /.........\     
                  /..Internet.\    
+-----+     +------+.........+---+ 
|Alice|-----|ROUTER|.........|Bob| 
+-----+  ^  +------+.........+---+ 
         |        \.........../    
         |         \---------/     
      +-------+                    
      |wiretap|                    
      +-------+                    

Alice has IP address: 10.0.0.23
Bob has IP address: 192.168.100.54

In order to talk to Bob, Alice needs to create an IP packet of the form 10.0.0.23-->192.168.100.54

As the packet traverses the Internet, it will be passed from router-to-router. Therefore, Alice must first hand off the packet to the first router. Each router along the way will examine the destination IP address (192.168.100.54) and decide the correct path it should take.

In the able diagram, we draw the Internet as a "cloud". All Alice knows about is the local connection to the first router, and Bob's eventual IP address. Alice knows nothing about the structure of the Internet and the route that packet will take.

Alice must talk to the router in order to send the packet. She uses the Ethernet to do so. An Ethernet frame looks like the following:

+--+--+--+--+--+--+
| destination MAC |
+--+--+--+--+--+--+
| source MAC      |
+--+--+--+--+--+--+
|08 00|            
+--+--+-----------+
|                 |
.     IP          .
.    packet       .
.                 .
|                 |
+--+--+--+--+-----+
| CRC       |
+--+--+--+--+

What this means is that the TCP/IP stack in Alice's machine might create a packet that is 100 bytes long (let's say 20 bytes for the IP info, 20 bytes for the TCP info, and 60 bytes of data). The TCP/IP stack then sends it to the Ethernet module, which puts 14 bytes on the front for the destination MAC address, source MAC address, and the ethertype 0x0800 to indicate that the other end's TCP/IP stack should process the frame. It also attaches 4-bytes on the end with a checksum/CRC (a validator to see if the frame gets corrupted as it goes across the wire).

The adapter then sends the bits out onto the wire.

All hardware adapters on the wire see the frame, including the ROUTER's adapter, the packet sniffer, and any other machines. Proper adapters, however, have a hardware chip that compares the frame's "destination MAC" with its own MAC address. If they don't match, then it discards the frame. This is done at the hardware level, so the machine the adapter is attached to is completely unaware of this process.

When the ROUTER ethernet adapeter sees this frame, it reads it off the wire and removes the leading 14-bytes and the trailing 4-bytes. It looks at the 0x0800 ethertype and decides to send it to the TCP/IP stack for processing (which will presumably forward it to the next router in the chain toward the destination).

In the above scenario, only the ROUTER machine is supposed to see the Ethernet frame, and all other machines are supposed to ignore it. The wiretap, however, breaks the rules and copies the frame off the network, too.

See Charles Spurgeon's Ethernet website at: http://wwwhost.ots.utexas.edu/ethernet/ethernet-home.html

1.5.2 What does "MAC" stand for?

Media Access Control.

The logic behind this is that the Ethernet has multiple sublayers, PHY, MAC, LLC. The Ethernet address is considered part of the MAC sublayer.

1.5.3 What is the format of the MAC address?

The Ethernet MAC address is a 48 bit number. This number is broken down into two halves, the first 24-bits identify the vendor of the Ethernet board, the second 24-bits is a serial number assigned by the vendor. This guarantees that no two Ethernet cards have the same MAC address (unless the vendor fouls up). Duplicate address would cause problems, so uniquess is very important. This 24-bit number is called the OUI ("Organizationally Unique Identifier").

However, the OUI is really only 22-bits long, two of the bits in that field are used for other purposes. One bit indicates if the address is a "broadcast/multicast" address, the other bit indicates if the adapter has been reassigned a "locally administered address" (where a network administrator reassigns the MAC address to fit some local policy).

For example, you will commonly see the MAC address 03 00 00 00 00 01 on the wire. The first byte contains the binary representation of 00000011 where both these special bits are set (and the rest are zero). This is a special multicast packet that is sent to all machines that run the "NetBEUI" protocol (which is commonly installed on Windows machines to share files locally without using TCP/IP as the transport).

The IEEE maintains the list of vendor/OUI codes at http://standards.ieee.org/regauth/oui/.

1.5.4 What is my Ethernet address?

Win9x

Run the program "winipcfg.exe". It will tell you.

WinNT

Run the program "ipconfig /all" from the command-line. It will show the MAC address for your adapters. Sample results are:

Windows NT IP Configuration

        Host Name . . . . . . . . . : sample.robertgraham.com
        DNS Servers . . . . . . . . : 192.0.2.254
        Node Type . . . . . . . . . : Hybrid
        NetBIOS Scope ID. . . . . . :
        IP Routing Enabled. . . . . : No
        WINS Proxy Enabled. . . . . : No
        NetBIOS Resolution Uses DNS : No

Ethernet adapter SC12001:

        Description . . . . . . . . : DEC DC21140 PCI Fast Ethernet Adapter
        Physical Address. . . . . . : 00-40-05-A5-4F-9D
        DHCP Enabled. . . . . . . . : No
        IP Address. . . . . . . . . : 192.0.2.160
        Subnet Mask . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . : 192.0.2.1
        Primary WINS Server . . . . : 192.0.2.253

Linux

Run the program "ifconfig". Sample results are:

eth0      Link encap:Ethernet  HWaddr 08:00:17:0A:36:3E
          inet addr:192.0.2.161  Bcast:192.0.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1137249 errors:0 dropped:0 overruns:0
          TX packets:994976 errors:0 dropped:0 overruns:0
          Interrupt:5 Base address:0x300    

Solaris

Use the "arp" or "netstat -p" command, it will often list the local interface among the ARP entries.

1.5.5 What are the Ethernet addresses of machines I'm talking to?

For WinNT and UNIX, use the command "arp -a".

• Alice and Bob are in New York and Texas and are talking.
• You are located in California, nowhere near them.
• You want to eavesdrop on their communication.

The answer is of course "no", it isn't even remotely possible. You have to have access to the wire that the communication is going across in order to eavesdrop. Same as with telephones, same as everywhere.

Remote access to the wire

However, if you are a really, really good cracker/hacker, there are ways of getting access to those lines. Typical examples are:

• Break into Alice or Bob's computer and install sniffing software that you remotely control.
• Break into the intervening ISPs, and install sniffing software.
• Find a box at the ISPs that supports sniffing, like an RMON probe or DSS (Distributed Sniffer System).
• Bribe somebody at one of those ISPs; break into the physical plant and install a packet sniffer, etc.
• ....

Close to the wire

In some situations, like cable-modems, DSL, Ethernet VLANs, etc., you can redirect traffic between two people to go through your own machine. This is because while you are not directly in the path of communication, you can sometimes move that path to flow past your own computer. It's much like the concept that you can divert a stream slightly, though not very far. See the "Redirect section under Cable-Modems.