Sniffing (network wiretap, sniffer) FAQ
This document answers questions about eavesdropping on computer networks (a.k.a.
"sniffing").
0. Information about this FAQ
Version 0.3.2, April 15, 2000
Copyright 1998-2000 by Robert Graham (sniffing-faq@robertgraham.com.
All rights reserved. This document may be only be reproduced (whole or in part) for
non-commercial purposes. All reproductions must contain this copyright notice and must not
be altered, except by permission of the author.
Official source of this document:
http://www.robertgraham.com/pubs/sniffing-faq.html
(HTML)
Thanks to the following people for helpful info and comments (note: to avoid automated
spam address collection systems, I've munged their e-mail addresses in an obvious way). Trevor
Schroeder from http://www.zweknu.org
Lachlan M. D. Cranswick <l.cranswick at dl dot ac dot uk>
0.9 Who is Robert Graham?
Among other things, between 1994-1998 I worked at Network General Corporation on
the Sniffer(r) Network Analyzer. I either wrote/rewrote/ported over 300 protocol decodes
for the Sniffer. Now I'm working on an intrusion detection system that similarly does
protocol analysis. Also, I helped develop the "Certified Network Expert" exam,
which was put together by a consortium of protocol analyzer/network analyzer vendors. In
the early 1990s, I help develope the RMON standard(s) and the
first RMON systems.
1. The basics
1.1 What is a "packet sniffer"?
A packet sniffer is a wire-tap devices that plugs into computer networks and
eavesdrops on the network traffic. Like a telephone wiretap allows the FBI to listen in on
other people's conversations, a "sniffing" program lets someone listen in on
computer conversations. However, computer conversations consist of apparently random
binary data. Therefore, network wiretap programs also come with a feature known as
"protocol analysis", which allow them to "decode" the computer traffic
and make sense of it.
Sniffing also has one advantage over telephone wiretaps: many networks use "shared
media". This means that you don't need to break into a wiring closet to install your
wiretap, you can do it from almost any network connection to eavesdrop on your neighbors.
This is called a "promiscuous mode" sniffer. However, this "shared"
technology is moving quickly toward "switched" technology where this will no
longer be possible, which means you will have to actually tap into the wire.
1.1.1 Is "packet sniffer" trademarked?
- The word "sniffer" is a registered trademark by Network Associates
referring to the "Sniffer(r) Network Analyzer". However, the term
"snif" is used in many other products (some of which are listed in this
document) and the term "sniffer" is more popular in everyday usage than
alternatives like "protocol analyzer" or "network analyzer" (as far as
my search on AltaVista reveals). I'm not sure what this means in trademark law, where
brandnames like "aspirin", "escalator", and "cellophane"
lose their distinctiveness over time.
1.2 What is it used for?
Sniffing programs have been around for a long time in two forms. Commercial packet
sniffers are used to help maintain networks. Underground packet sniffers are used to break
into computers. Typical uses of such wiretap programs include:
- Automatic sifting of clear-text
passwords and usernames from the network. Used hackers/crackers in order to break into
systems.
- Conversion of data to human readable format so that people can read the traffic
- Fault analysis to discover problems in the network, such as why computer A can't talk to
computer B
- Performance analysis to discover network bottlenecks
- Network intrusion detection in order to discover hackers/crackers (see http://www.robertgraham.com/pubs/network-intrusion-detection.html
- Network traffic logging, to create logs that hackers can't break into and erase.
1.3 Is there a single point on the Internet I can plug into in order to see all the
traffic?
No. The connectivity of the Internet looks much like a fisherman's net. Traffic flows
through a mesh, and no single point will see it all. The Internet was built to withstand a
nuclear attack -- and to survive any "single point of failure". This likewise
prevents any single point of sniffing. Think of it this: you have two machines in your
own office talking to each other, and both are on the Internet. They take a direct route
of communication, and the traffic never goes across the outside public portion of the
Internet. Any communication anywhere in the net follows a similar
"least-cost-path" principle.
1.4 How does sniffing/wiretap work?
1.4.1 How does it eavesdrop on network traffic?
- Ethernet was built around a "shared" principle: all machines on a local
network share the same wire.
This implies that all machines are able to "see"
all the traffic on the same wire.
Thus, Ethernet hardware is built with a "filter" that ignores all traffic
that doesn't belong to it. It does this by ignoring all frames whose MAC address doesn't
match.
A wiretap program turns off this filter, puttin the Ethernet hardware into
"promiscuous mode". Thus, Mark can see all the traffic between Alice and Bob, as
long as they are on the same Ethernet wire.
1.4.2 What are the components of a packet sniffer?
- The hardware
- Most products work from standard network adapters, though some require special hardware.
If you use special hardware, you can analyze hardware faults like CRC errors, voltage
problems, cable programs, "dribbles", "jitter", negotiation errors,
and so forth.
- Capture driver
- This is the most important part. It captures the network traffic from the wire, filters
it for the particular traffic you want, then stores the data in a buffer.
- Buffer
- Once they frames are captured from the network, they are stored in a buffer. There are a
couple captures modes: capture until the buffer fills up, or use the buffer as a
"round robin" where the newest data replaces the oldest data. Some products
(like the BlackICE Sentry IDS from Network ICE
can maintain a full round-robin capture buffer on disk at full 100-mbps speeds. This
allows have hundreds of gigabytes of buffer rather than the meager 1-gigabyte you're
likely to have in a memory-based buffer.
- Real-time analysis
- Pioneered by the Network General Sniffer, this feature does some minor bit of analysis
of the frames as they come off the wire. This is able to find network performance issues
and faults while capturing. Many vendors have started to add minimal capabilities along
this line to their products. Network intrusion
detection systems do this, but they sift the traffic for signs of hacker activity
rather than fault/performance issues.
- Decode
- As discussed in section 5,
this displays the contents of network traffic with descriptive text so that an analysist
can figure out what is going on.
- Packet editing/transmission
- Some products contain features that allow you to edit your own network packets and
transmit them onto the network.
1.5 What is an Ethernet MAC address?
Since many machines may share a single Ethernet wire, each must have an individual
identifier. This doesn't happen with dial-up modems, because it is assumed that any data
you send to the modem is destinated for the other side of the phone line. But when you
send data out onto an Ethernet wire, you have to be clear which machine you intend to send
the data to. Sure, in many cases today there are only two machines talking to each other,
but you have to remember that Ethernet was designed for thousands of machines to share the
same wire. This is accomplished by putting a unique 12-digit hex number in every piece
of Ethernet hardware. Section 1.5.4 explains how to
discover the Ethernet MAC address of your own machine.
To really understand why this is so important, you might want to review the information
in section 5.4
below. Ethernet was designed to carry other traffic than just TCP/IP, and TCP/IP was
designed to run over other wires (such as dial-up lines, which use no Ethernet). For
example, many home users install "NetBEUI" for File and Print Sharing because it
is unrelated to TCP/IP, and therefore hackers from across the Internet can't get at their
hard-drives.
Raw transmission and reception on Ethernet is governed by the Ethernet equipment. You
just can't send data raw over the wire, you must first do something to it that Ethernet
understands. In much the same way, you can't stick a letter in a mailbox, you must first
wrap it in an envelope with an address and stamp.
Following a is a brief explanation how this works:
_________
/.........\
/..Internet.\
+-----+ +------+.........+---+
|Alice|-----|ROUTER|.........|Bob|
+-----+ ^ +------+.........+---+
| \.........../
| \---------/
+-------+
|wiretap|
+-------+
Alice has IP address: 10.0.0.23
Bob has IP address: 192.168.100.54
In order to talk to Bob, Alice needs to create an IP packet of the form
10.0.0.23-->192.168.100.54
As the packet traverses the Internet, it will be passed from router-to-router.
Therefore, Alice must first hand off the packet to the first router. Each router along the
way will examine the destination IP address (192.168.100.54) and decide the correct path
it should take.
In the able diagram, we draw the Internet as a "cloud". All Alice knows about
is the local connection to the first router, and Bob's eventual IP address. Alice knows
nothing about the structure of the Internet and the route that packet will take.
Alice must talk to the router in order to send the packet. She uses the Ethernet to do
so. An Ethernet frame looks like the following:
+--+--+--+--+--+--+
| destination MAC |
+--+--+--+--+--+--+
| source MAC |
+--+--+--+--+--+--+
|08 00|
+--+--+-----------+
| |
. IP .
. packet .
. .
| |
+--+--+--+--+-----+
| CRC |
+--+--+--+--+
What this means is that the TCP/IP stack in Alice's machine might create a packet that
is 100 bytes long (let's say 20 bytes for the IP info, 20 bytes for the TCP info, and 60
bytes of data). The TCP/IP stack then sends it to the Ethernet module, which puts 14 bytes
on the front for the destination MAC address, source MAC address, and the ethertype 0x0800
to indicate that the other end's TCP/IP stack should process the frame. It also attaches
4-bytes on the end with a checksum/CRC (a validator to see if the frame gets corrupted as
it goes across the wire).
The adapter then sends the bits out onto the wire.
All hardware adapters on the wire see the frame, including the ROUTER's adapter, the
packet sniffer, and any other machines. Proper adapters, however, have a hardware chip
that compares the frame's "destination MAC" with its own MAC address. If they
don't match, then it discards the frame. This is done at the hardware level, so the
machine the adapter is attached to is completely unaware of this process.
When the ROUTER ethernet adapeter sees this frame, it reads it off the wire and removes
the leading 14-bytes and the trailing 4-bytes. It looks at the 0x0800 ethertype and
decides to send it to the TCP/IP stack for processing (which will presumably forward it to
the next router in the chain toward the destination).
In the above scenario, only the ROUTER machine is supposed to see the Ethernet frame,
and all other machines are supposed to ignore it. The wiretap, however, breaks the rules
and copies the frame off the network, too.
See Charles Spurgeon's Ethernet website at: http://wwwhost.ots.utexas.edu/ethernet/ethernet-home.html
1.5.2 What does "MAC" stand for?
- Media Access Control.
The logic behind this is that the Ethernet has multiple
sublayers, PHY, MAC, LLC. The Ethernet address is considered part of the MAC sublayer.
1.5.3 What is the format of the MAC address?
- The Ethernet MAC address is a 48 bit number. This number is broken down into two halves,
the first 24-bits identify the vendor of the Ethernet board, the second 24-bits is a
serial number assigned by the vendor. This guarantees that no two Ethernet cards have the
same MAC address (unless the vendor fouls up). Duplicate address would cause problems, so
uniquess is very important. This 24-bit number is called the OUI ("Organizationally
Unique Identifier").
However, the OUI is really only 22-bits long, two of the bits
in that field are used for other purposes. One bit indicates if the address is a
"broadcast/multicast" address, the other bit indicates if the adapter has been
reassigned a "locally administered address" (where a network administrator
reassigns the MAC address to fit some local policy).
For example, you will commonly see the MAC address 03 00 00 00 00 01 on
the wire. The first byte contains the binary representation of 00000011 where
both these special bits are set (and the rest are zero). This is a special multicast
packet that is sent to all machines that run the "NetBEUI" protocol (which is
commonly installed on Windows machines to share files locally without using TCP/IP as the
transport).
The IEEE maintains the list of vendor/OUI codes at http://standards.ieee.org/regauth/oui/.
1.5.4 What is my Ethernet address?
- Win9x
- Run the program "winipcfg.exe". It will tell you.
- WinNT
- Run the program "ipconfig /all" from the command-line. It will show the MAC
address for your adapters. Sample results are:
Windows NT IP Configuration
Host Name . . . . . . . . . : sample.robertgraham.com
DNS Servers . . . . . . . . : 192.0.2.254
Node Type . . . . . . . . . : Hybrid
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No
Ethernet adapter SC12001:
Description . . . . . . . . : DEC DC21140 PCI Fast Ethernet Adapter
Physical Address. . . . . . : 00-40-05-A5-4F-9D
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 192.0.2.160
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 192.0.2.1
Primary WINS Server . . . . : 192.0.2.253
- Linux
- Run the program "ifconfig". Sample results are:
eth0 Link encap:Ethernet HWaddr 08:00:17:0A:36:3E
inet addr:192.0.2.161 Bcast:192.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1137249 errors:0 dropped:0 overruns:0
TX packets:994976 errors:0 dropped:0 overruns:0
Interrupt:5 Base address:0x300
- Solaris
- Use the "arp" or "netstat -p" command, it will often list the local
interface among the ARP entries.
1.5.5 What are the Ethernet addresses of machines I'm talking to?
- For WinNT and UNIX, use the command "arp -a".
1.6 Can I sniff a connection between two people without having
access to their wire?
In other words, you are asking about this scenario:
- Alice and Bob are in New York and Texas and are talking.
- You are located in California, nowhere near them.
- You want to eavesdrop on their communication.
The answer is of course "no", it isn't even remotely possible. You have to
have access to the wire that the communication is going across in order to eavesdrop. Same
as with telephones, same as everywhere.
Remote access to the wire
However, if you are a really, really good cracker/hacker, there are ways of getting
access to those lines. Typical examples are:
- Break into Alice or Bob's computer and install sniffing software that you remotely
control.
- Break into the intervening ISPs, and install sniffing software.
- Find a box at the ISPs that supports sniffing, like an RMON probe or DSS (Distributed
Sniffer System).
- Bribe somebody at one of those ISPs; break into the physical plant and install a packet
sniffer, etc.
- ....
Close to the wire
In some situations, like cable-modems, DSL, Ethernet VLANs, etc., you can redirect
traffic between two people to go through your own machine. This is because while you are
not directly in the path of communication, you can sometimes move that path to flow past
your own computer. It's much like the concept that you can divert a stream slightly,
though not very far. See the "Redirect
section under Cable-Modems.
|