Snnifers...Possible to read the data

**anjali** · June 18th, 2003, 06:12 AM

Hi,

I have often heard people using sniffers to get info abt the packets travelling over the network..

I tried once with a Packet sniifer..... But when it started capturing packets.... there was not much i could make out of it....

I did get info abt packet ids and how they are generated.. But again I dont know how it can help the potential hacker.....

But does sniffers give out the information abt the data travelling ???

Does this have anything to do with Session Hacking.. Could be hack a session by knowing info abt packer travelling on the network....

Shall appreciate your comments for the same.....

Regards

kalp

**Darksnake** · June 18th, 2003, 07:09 AM

The reason you couldnt make out anything from the packets is that they probably didnt contain plain text so you could have been looking at any type of data.

Sniffers can help a hacker find out usernames and passwords travelling across the network if he can recognize it in the packet. They can also help with session hijacking (wont go into that)

From what i know the only info a packet sniffer can give you about the packets it recieves deals with the packets and not the data within.

Hope this helped a bit

**Networker** · June 18th, 2003, 08:09 AM

I'll just add a comment to Darksnake post:
Sniffer are very useful to decode protocols behaviour. Even for high layer such as FTP, HTTP, ...
I ind sniffer very useful for:
- watching an attack in real time & keep traces
- understand how a protocol works as a helper to papers such as RFC that are smtimes unreadable.

**anjali** · June 18th, 2003, 08:14 AM

Thanx darksnake,

yeah I also noticed the same fact that you get all lot of host info abt the packets and its destination....

But I was curious to know how a potential hacker could use the packet info to launch any destructive attack using the above info......

Regards

Kalp

Hi networker..

Is it that we can know from where are the packets been generated at the time of attack,,, but the same information can also be traced by my firewall.... then why do we need to use packet sniffers....

One reason i found was during initial implementation of firewall.. where u run packet sniffer to study the traffic and determine which ports / services needs to activated and vice versa

Regards

Kalp

**Networker** · June 18th, 2003, 10:01 AM

Originally posted here by anjali

Hi networker..

Is it that we can know from where are the packets been generated at the time of attack,,, but the same information can also be traced by my firewall.... then why do we need to use packet sniffers....

For a very simple reason: The firewall is rule based and will log only drp traffic it has been config for!!!
But what about flows passing through the firewall...

Firewalls are not the magic box vendors want to convince us. frw does not guaranty security, it's just a tool that plays its role into security policy.

**anjali** · June 18th, 2003, 10:30 AM

Networker in that case... where should you place ur snnifer.....

I understand that it can only monitor the segment where it is place..... Now in corporate with many VLANS... would u need to have multiple sniffers on individual LAN segment ???

Can it be a part of ur router.... where all incoming requestes are sniffed....

Does sniffer have any impact on network (eg . Nwork congestion etc.)

Many thanks networker for sharing above info.... I always wanted to know abt real use of sniffers.... This is clearing some of my doubts....

Regards

Kalp

***Tiger Shark*** · June 18th, 2003, 10:58 AM

anjali: Here's a real example of how I use a packet sniffer on an almost daliy basis. In this case I have a user running Outlook who tells me that she can't get her POP3 mail and Outlook keeps erroring out saying "cannot contact POP3 server XXX.XXX.XXX.XXX" Once the normal troubleshooting process has been gone through and the error remains I pull out the old Ethereal, (packet sniffer) and tell it to sniff packets from her machine to anywhere that are destined for port 110, (POP3) and ask her to initiate a mail send/receive.

The things i will learn from this are:-

1. Her machine is generating packets/or not
2. her packets are being routed correctly to this network
3. those packets are destined for the right server and port
4. is the server responding appropriately
(since POP3 transmissions are in plain text)
5. is her mailbox name properly spelled
6. is her password properly spelled
7. what the unseen error message is that the server sends if any, (in this case "unknown user")

Odd because the user has an account, she is spelling it correctly and the password is also correct. However, I know from experience that my mailserver does this from time to time and the account needs to be deleted and recreated. I do that having copied any outstanding amail aside and replacing it after the recreation and Bingo.... she's back in business....

Packet sniffers are great tools and if you spend the time to learn TCP/IP flows etc and baseline some of the traffic on your network so you know what a good traffic flow for a protocol is then it can really help you see what is going on if things are not right.

**anjali** · June 18th, 2003, 11:13 AM

tiger shark....

Thanks dear indeed that was an excellent piece of info.......

I didn't knew u could use sniffers for such purpose... Agreed you need to know and understand TCP very well to make any meaningful judgement from a Sniffer....

I feel it is also essential to know Networking thoroughly...becasue the palcement of firewall is very imp. I tried one sniffer software.. it was hardly able to grab 14 packets in one hour....

Could u tell why only few packets were captured... I had installed the same on my Work PC.... which is connected to the switch....

I thought i would be able to monitor the complete vlan.. but i feel i was only able to hear few on packets generated from my pc only....

Thanx

**waverebel** · June 18th, 2003, 11:47 AM

anjali, one reason there might be that you are connected to a switch and not a hub.
I asume you weren't doing anything at the time as even for one PC 14 packets in an hour sounds a little low.

With a hub any packets that it recieves it broadcasts to all the computers connected to it. So with a sniffer you can see everything being sent to everyone on your bit of the network.

With a switch, when a packet is recieved it is only sent to host identified and not just broadcast, I think this is done by using the MAC (hardware) address of the destination network card. So if the sniffer is running on your PC and you are connected to a switch you will see only the packets desitined for your PC or those sent from your PC.

ps <quote>I had installed the same on my Work PC</quote> are you the admin as this will likely upset them.

**anjali** · June 18th, 2003, 12:07 PM

exactly waverebel....

I did mention that I connect to a switch...

In that case how can i still sniff the packets as mentioned by tigershark in his previous post.....

Yeah I was amazed at such low packets been caught.. But i was doing lot of activities.. but lot of packets were lost.. maybe it was my first try at sniffers.. so i thought i must have missed some settings....

Regards

kalp

Thread: Snnifers...Possible to read the data

Thread Tools

Display

Snnifers...Possible to read the data

Posting Permissions