Packet Sniffing?

[smartin77]

Quick question:
is packet sniffing from a single node on a network possible? By single node, I mean, NOT a server? The reason I ask is becuase, if it's NOT possible, then the reason why packet sniffing would be a big deal is if a person gets access to a server? Right? then if thats the case, sniffing must not occur often?

Gotta get back to class
-Smartin

[phishphreek]

Packet sniffing can occur anywhere on your broadcast domain.
(I think thats the correct term. correct me if I'm wrong.)
If you are attached to a switch, you can only sniff traffic going to and from your single host.

If you are attached to hubs, you can sniff any traffic that passes by.

If you want to sniff traffic while using a switch... look into ettercap.

The reason for this is:

Hubs will pass any traffic going by. They have no idea where the destination host is... so it'll just send it everywhere.

Switches will only pass traffic destined to a certain MAC on the switch port. They are smarter than hubs.

[MrLinus]

To clarify a little better, switches (aka smart hubs) are a variation on routers. Hence they do not pass broadcast packets while hubs do. That means if you are sniffing on a switch, you will only pick up information meant for your machine. However, a tool like Ettercap changes things as it creates a "man-in-the-middle" concept and picks up packets meant for the switch by all hosts.

Check out the AO Newsletter #6. I did a small tut on Ettercap and give some of the details as to what it does.

[g00n]

umm... MissMittens, I switch does infact pass broadcast packets. A broadcast packet will reach the entire subnet, regardless of what device is attached. Unless that device filters out such traffic.

Lan games usually perform a broadcast sweep of the lan to determin if there are any servers available. I actually have a udp broadcast forwarder that i use on my switched network all the time. This allows me to forward broadcasts from my desktop to my gateway where they are tunneled to a friend's house 20 miles away then to his network. This allows us to play lan games while only having the tunneled tcp ptp tunnel between us.

[Fabs]

To clarify, A switch learns (very quickly) what ip's are associated to what MAC addresses on what ports of the hub, then as packets come in it analyses their destination and forwards them onto the correct ports.
A HUB is "dumb" it does no learning and just forwards every packet it receives to every port on the hub.
A broadcast packet is a packet that is specified to go to every ip in the subnet, a hub as it usually does will pass this to every port, a switch will pass a broadcast packet to every port on the switch with an ip that is within the subnet.

This is of course a very simplified explanation

[phishphreek]

To clarify, A switch learns (very quickly) what ip's are associated to what MAC addresses on what ports of the hub,

Fabs: I thought switches operated at layer 2... thats MAC only. Correct me if I'm wrong.

[Fabs]

sorry, you're right, take out the learns ip part, they only learn MAC addresses. (unless it's a "smart" switch)

/me slaps forehead

[smartin77]

Originally posted here by MsMittens
To clarify a little better, switches (aka smart hubs) are a variation on routers. Hence they do not pass broadcast packets while hubs do. That means if you are sniffing on a switch, you will only pick up information meant for your machine. However, a tool like Ettercap changes things as it creates a "man-in-the-middle" concept and picks up packets meant for the switch by all hosts.

Check out the AO Newsletter #6. I did a small tut on Ettercap and give some of the details as to what it does.

Great article! I noticed in the article you said that you teach a class, Is this a graduate level class? What other classes do you teach?

I'm almost done with my B.S. in Information Systems and becuase I have no INFOSEC experience, I'm thinking 'bout getting a masters in INFOSEC. What are your thoughts? Maybe better just for the certs?

[er0k]

msmittens >> ettercap ownz :P

just in case http://ettercap.sourceforge.net

[HTRegz]

Let's see.. since there seems to be confusion....

3 types of Devices..

Repeaters, Bridges, and Routers

Repeaters operate at layer 1 of the OSI Model and do just what they're called they repeat the signal (Hubs are multi-port repeaters)

Bridges operate at layer 2 of the OSI model and make forwarding decisions based on MAC (Physical) Addresses.... and prevent switching loops using the Spanning Tree Protocol. (Switches are multi-port bridges)

Routers operate at layer 3 of the OSI model and make forwarding decisions based on IP (Logical) Addresses....

Repeaters can be used to extend a network using what is called a 5-4-3 rule.. You can have 5 segments, connected with 4 repeaters and 3 of the segments can be populated. The reason for this is because Ethernet waits a certain period of time to listen before trasmitting and that is as far as the signal could travel in the length of time it waits. If you go longer you get Collisions... This is where Bridges come in. They create collision domains.. so you can have the 5-4-3 rule in effect then a bridge and then another 5-4-3 rule. Routers create broadcast domains. This means that broadcasts dont' go beyond the router.


So
Repeaters - are just amplifiers
Bridges - Create Collision Domains
Routers - Create Broadcast Domains