Packet Sniffing?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Packet Sniffing?

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    25

    Question Packet Sniffing?

    Quick question:
    is packet sniffing from a single node on a network possible? By single node, I mean, NOT a server? The reason I ask is becuase, if it's NOT possible, then the reason why packet sniffing would be a big deal is if a person gets access to a server? Right? then if thats the case, sniffing must not occur often?

    Gotta get back to class
    -Smartin

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Packet sniffing can occur anywhere on your broadcast domain.
    (I think thats the correct term. correct me if I'm wrong.)
    If you are attached to a switch, you can only sniff traffic going to and from your single host.

    If you are attached to hubs, you can sniff any traffic that passes by.

    If you want to sniff traffic while using a switch... look into ettercap.

    The reason for this is:

    Hubs will pass any traffic going by. They have no idea where the destination host is... so it'll just send it everywhere.

    Switches will only pass traffic destined to a certain MAC on the switch port. They are smarter than hubs.

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    To clarify a little better, switches (aka smart hubs) are a variation on routers. Hence they do not pass broadcast packets while hubs do. That means if you are sniffing on a switch, you will only pick up information meant for your machine. However, a tool like Ettercap changes things as it creates a "man-in-the-middle" concept and picks up packets meant for the switch by all hosts.

    Check out the AO Newsletter #6. I did a small tut on Ettercap and give some of the details as to what it does.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    144
    umm... MissMittens, I switch does infact pass broadcast packets. A broadcast packet will reach the entire subnet, regardless of what device is attached. Unless that device filters out such traffic.

    Lan games usually perform a broadcast sweep of the lan to determin if there are any servers available. I actually have a udp broadcast forwarder that i use on my switched network all the time. This allows me to forward broadcasts from my desktop to my gateway where they are tunneled to a friend's house 20 miles away then to his network. This allows us to play lan games while only having the tunneled tcp ptp tunnel between us.

  5. #5
    Junior Member
    Join Date
    Mar 2003
    Posts
    26
    To clarify, A switch learns (very quickly) what ip's are associated to what MAC addresses on what ports of the hub, then as packets come in it analyses their destination and forwards them onto the correct ports.
    A HUB is "dumb" it does no learning and just forwards every packet it receives to every port on the hub.
    A broadcast packet is a packet that is specified to go to every ip in the subnet, a hub as it usually does will pass this to every port, a switch will pass a broadcast packet to every port on the switch with an ip that is within the subnet.

    This is of course a very simplified explanation
    Never argue with an idiot, they\'ll just bring you down to their level and then beat you with experience

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    To clarify, A switch learns (very quickly) what ip's are associated to what MAC addresses on what ports of the hub,
    Fabs: I thought switches operated at layer 2... thats MAC only. Correct me if I'm wrong.

  7. #7
    Junior Member
    Join Date
    Mar 2003
    Posts
    26
    sorry, you're right, take out the learns ip part, they only learn MAC addresses. (unless it's a "smart" switch)

    /me slaps forehead
    Never argue with an idiot, they\'ll just bring you down to their level and then beat you with experience

  8. #8
    Junior Member
    Join Date
    Jul 2002
    Posts
    25
    Originally posted here by MsMittens
    To clarify a little better, switches (aka smart hubs) are a variation on routers. Hence they do not pass broadcast packets while hubs do. That means if you are sniffing on a switch, you will only pick up information meant for your machine. However, a tool like Ettercap changes things as it creates a "man-in-the-middle" concept and picks up packets meant for the switch by all hosts.

    Check out the AO Newsletter #6. I did a small tut on Ettercap and give some of the details as to what it does.
    Great article! I noticed in the article you said that you teach a class, Is this a graduate level class? What other classes do you teach?

    I'm almost done with my B.S. in Information Systems and becuase I have no INFOSEC experience, I'm thinking 'bout getting a masters in INFOSEC. What are your thoughts? Maybe better just for the certs?

  9. #9
    er0k
    Guest
    msmittens >> ettercap ownz :P

    just in case http://ettercap.sourceforge.net

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Let's see.. since there seems to be confusion....

    3 types of Devices..

    Repeaters, Bridges, and Routers

    Repeaters operate at layer 1 of the OSI Model and do just what they're called they repeat the signal (Hubs are multi-port repeaters)

    Bridges operate at layer 2 of the OSI model and make forwarding decisions based on MAC (Physical) Addresses.... and prevent switching loops using the Spanning Tree Protocol. (Switches are multi-port bridges)

    Routers operate at layer 3 of the OSI model and make forwarding decisions based on IP (Logical) Addresses....

    Repeaters can be used to extend a network using what is called a 5-4-3 rule.. You can have 5 segments, connected with 4 repeaters and 3 of the segments can be populated. The reason for this is because Ethernet waits a certain period of time to listen before trasmitting and that is as far as the signal could travel in the length of time it waits. If you go longer you get Collisions... This is where Bridges come in. They create collision domains.. so you can have the 5-4-3 rule in effect then a bridge and then another 5-4-3 rule. Routers create broadcast domains. This means that broadcasts dont' go beyond the router.


    So
    Repeaters - are just amplifiers
    Bridges - Create Collision Domains
    Routers - Create Broadcast Domains

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •