-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-

         -= Intro to Packet Sniffers: What They Are and Why to use Them =-

                                -= By Grifter =-
                        -= grifter@staticdischarge.com =-
                           
                           -= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


� What is Packet Sniffing?

The best way I can think of to describe packet sniffing is that it is basically a computer 
wire tap.  When someone is sniffing a network, they are reading the packets that are 
traveling across a network.  Everything you do online sends packets of information over 
phone lines or cables and through or past other machines on it's way to its destination.  
The computers between you and the destination can read the information that you send as 
it passes by; packet sniffers make this possible.

Each packet contains a block of data ranging in size from 512 bytes to 4k, and a header 
block that will contain the information about the packet like its destination and origin 
addresses. The data part of the packet contains the information being sent on the network, 
like e-mail, web pages, logins and passwords, e-commerce information including credit card 
numbers, and all kinds of other goodies.

Under normal circumstances network cards will check the packet to see if it's for them and 
if it's not they'll ignore it and let it pass on to the next machine. In the case of 
internet routing, the machines will check the packet's final destination and choose where 
to pass the packet onto next.  However, ethernet cards typically have a "promiscuous-mode" 
option, which will turn off the filter and cause them to look at all packets as they go by. 
Setting your NIC to promiscuous mode is what packet sniffing programs take advantage of to 
do their dirty work. 

Firewalls can't prevent packet sniffing, and Virtual Private Networks and Encryption can't 
do anything either, except maybe make the attackers job a little more difficult.  Keep in 
mind that many passwords are sent over the net unencrypted, and in some cases even when 
they are this won't foil a packet sniffer intent on breaking into a system. An intruder 
looking for a login sequence and sniffing an encrypted password will have no need to 
decrypt the password for their own use and can just relay the encrypted version for 
unauthorized access. 



� What should you use?

There are a ridiculous amount of packet sniffers out there and it will basically be up to 
you to decide which one you want to use, and what works best for you.  Personally I like 
"Etherpeek" by WildPackets.  It's offered in versions for Windows and Macs, and has good 
features like web monitoring and analysis.  Only problem is it's going to cost you, but 
you can always try out the trial version.  If you're looking for something free or 
something you might already have try these:

tcpdump

tcpdump is a free network packet analysis tool.  The advantage that tcpdump has is that 
it is entirely command line based, so it runs nicely in a remote telnet session. When 
compiled, the binary is self-contained so it can be easily sent to a remote machine and 
executed. You won't need to install special device drivers or other software.  The fact 
that it's free doesn't hurt either, this way, let's say you capture a packet trace and 
the send it over to a friend running on a different platform, once your friend compiles 
it for his machine he can read your trace.

netmon

Microsoft includes a packet-tracing tool with the Windows NT Server CD-ROM and with the 
System Management Software (SMS) CD-ROM called Network Monitor (a k a netmon). It's made 
up of two parts: an agent, and the actual tool. They both have to be installed in order 
to work.  The thing about netmon though is that it can't be used with a telnet window.  
Installing the Network Monitor agent and tools on a Windows NT 4.0 Workstation.  There 
are two distinct versions of netmon, neither of which are freely available like tcpdump. 
The version included with the Windows NT 4.0 Server CD-ROM allows only for viewing packets 
sent to and from the local machine. The version included with the SMS CD-ROM enables the 
network interface to be put into promiscuous mode where all packets on the shared media 
can be seen. Both versions can also be run locally on Windows NT Workstations and on 
Windows 9x clients as long as the Network Monitor agent has been installed.



� How to Sniff

Most packet sniffers will set your NIC card to promiscuous mode when you select it and 
start a session.  If there is network traffic then you should start to see results right 
away.  The actual task of sniffing is relatively easy and shouldn't take long to figure 
out so I won't go into detail on it.  However translating the data into something that you 
can understand is the tricky part.  I recommend that you have a solid knowledge of 
networking and TCP/IP, and also aren't very scared of Hex.  

The software to capture the packets will normally write them to a text file on the 
device, this way you can come and read the file later to see what you've got. The 
software can be set to only log certain contents, like packets containing the word 
"password" or any packets that look like email. This will keep the size of your log file 
down and helps lessen the chance that someone will notice the sniffer. But it does mean 
that you're relying on the program to find the good stuff, so you run the risk of missing 
something you may have liked.

That should cover the basics, now you know what packet sniffing is, what programs to use, 
and that it doesn't take a genius to get started.  There are other types of sniffing that 
can be used, like specifically looking for logins and credit card numbers, but that goes 
beyond the scope of my ethics so you'll have to look somewhere else if that's what you're 
interested in.  I hope this taught you something, if anything it was fun to write.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
� 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-