Packet Sniffers
A packet sniffer, the network analyzer, is a wire-tap device that plugs into
computer networks and eavesdrops on the network traffic. To capture the information
going over the network is called sniffing. It is a "sniffing" program that lets someone
listen in on computer conversations. However, computer conversations consist of
apparently random binary data. Therefore, network wiretap programs also come with
a feature known as "protocol analysis", which allow them to "decode" the computer
traffic and make sense of it. These tools known as network sniffers are named after a
product called the Sniffer Network Analyzer. Introduced in 1988 by Network General
Corp. (now Network Associates Inc.), the Sniffer was one of the first devices that let
managers sit at their desks and take the pulse of the larger network. The original
sniffers read the message headers of data packets on the network, giving
administrators details about the addresses of senders and receivers, file sizes and other
low-level information about those packets, in addition to verifying transmission.
Using graphs and text-based descriptions, sniffers helped network managers evaluate
and diagnose performance problems with servers, the network wire, hubs and
applications.
They help keep networks humming, but they can also be used by hackers to uncover
user names and passwords from data packets traveling across public or private WANs.
Encrypting the headers of data packets (using the Secure Sockets Layer standard in
browser-based environments, for example) thwarts sniffer-assisted password thefts.
Sniffing also has one advantage over telephone wiretaps: many networks use "shared
media". Sharing means that computers can receive information that was intended for
other machines. This means that you don't need to break into a wiring closet to install
your wiretap, you can do it from almost any network connection to eavesdrop on your
neighbors. However, this "shared" technology is moving quickly toward "switched"
technology where this will no longer be possible, which means you will have to
actually tap into the wire.
A sniffer being used on a network to snoop passwords and anything else is considered
to be a passive attack. A passive attack is one that doesn't directly intrude onto a
foreign network or computer. On the other hand, an active attack directly interfaces
with a remote machine. Remote buffer overflows, network floods and other similar
attacks fall under the category of an active attack . By nature, passive attacks are not
meant to be discovered by the person(s) being attacked. At no point should they have
indication of your activity. This makes sniffers just as serious as any active attack.
Rather than merely identifying low-level characteristics such as packet source and
destination, current sniffers can decode data from all seven layers of the Open
System Interconnection network stack and can often recommend fixes for
problems. If application-level analysis fails to provide a solution, sniffers can drill
into low-level activities.
Conversion of data to human readable formats so that people can read the traffic.
Used
along
with
Network
intrusion
detection
in
order
to
discover
hackers/crackers.
located at one of the servers of your ISP would potentially be able to monitor all of
your online activities, such as:
What streaming events you use, such as audio, video and Internet telephony.
From this information, employers can determine how much time a worker is spending
online and if that worker is viewing inappropriate material.
3C 2E AC 00 01 01 00 01 D0 E1 66 80 08 00 45 00
01 F7 E8 80 40 00 80 06 39 40 C2 7E 57 A5 D1 01
EC 1A
Fig. 2.1 A Captured Frame
Each box represents a byte of the frame. The number in each box is actually a
hexadecimal number. This frame can be broken down into different parts :
The Ethernet header - Bytes 1 to 14
The IP header - Bytes 15 to 35
The TCP header - Bytes 36 to 56
The actual data i.e. the HTTP GET request.
with its MAC address. Every machine on the network segment will receive this
message and check its IP address. If it finds it does have that IP address it will respond
accordingly. If not then it will go on about its business. The next two bytes represent
which protocol the Ethernet header is framing. Here we can see the value is 08 00.
Hex 08 00 represents IPv4. Below are some other common protocols
08 06 - ARP
08 08 - Frame Relay ARP
86 DD - IP Next Generation (IPv6)
08 05 - X.25 level 3
to the beginning of the header....this way a router learns almost immediately the
priority of a datagram and can base its following actions on that. The next 4 bits
represent the delay, throughput, reliability and cost.
Delay
If this bit is set to 1 it is requesting of the router that it be sent via a path that
offers least amount of delay time (propagation delay).
Throughput
If this bit is set to 1 it is asking that the router send the datagram through a
path that has the most bandwidth i.e. the amount of data that can be stuffed through a
pipe in a given moment.
Reliability
While data is travelling over the lines if there is too much noise (whether this
be cross talk or electromagnetic interference (EMI)) it can become corrupt or lost. If
this bit is set to 1 it is requesting to be sent through a path with the least chance of
data loss.
Cost
Some network paths can be more expensive to use than others eg the using
microwave technology is more expensive than using a frame relay route. This bit
allows you to request a path whether that be the more expensive one or not. The last
bit of the second byte is reserved, as per the RFC, for future use.
Bytes 3 and 4
The next two bytes (01 F7) represent the total IP datagram length. In this case
it's 503 bytes (01 F7 hex > dec = 503). Because the total length field is limited to two
bytes this means the maximum possible size for an IP datagram is 65535 bytes (FF FF
hex). Remember though that the datalink protocol being used may have a maximum
transmission unit (MTU) that is smaller than 65535 bytes. In this case the datalink
protocol being used is Ethernet and this has an MTU of 1500 bytes.
Bytes 5 and 6
When an IP datagram is fragmented i.e. it is chopped up into more managable
chunks there has to be a way for the receiving host to reassemble the fragmented IP
datagram. The next two bytes (E8 80) denote the datagram ID number. Each fragment
of the IP datagram will have the same ID number. The next two bytes are linked to
this.
Bytes 7 and 8
8
These bytes represent the fragment area.... When IP has a datagram to send it
contacts the protocol operating at the datalink level to ascertain how much data it can
handle at anyone time i.e. the MTU. IP will then divide its data into chunks that the
datalink protocol can handle. If fragmentation is necessary IP uses these two bytes to
keep a track of each fragment.
Byte number 9
This byte (80) represents the Time To Live (TTL). The TTL is a timing
method used by routers to kill off any datagrams that are not delivered for whatever
reason. The TTL byte here is set to hex 80 (128 dec.). So this datagram has 128
"seconds" to live. If it doesn't reach the destination by then it'll be discarded. When
the datagram comes to the first router in its journey the router will reduce this number.
Every router along the way will reduce this number. When it reaches the host at the
receiving end this number would have a lower value.
Byte number 10
This byte denotes what higher level protocol the IP datagram is carrying. In
this case it's (06) .i.e. the Transmission Control Protocol (TCP). Others are:
(01) ICMP (Internet Control Message Protocol)
(08) EGP
(11) UDP (User Datagram Protocol)
(59) OSPF (Open Shortest Path First)
(58) IGRP.
Bytes 11 and 12
Starting on the next line down, these two bytes (39 40) make up the header
checksum. This is as much as IP will do for data integrity...it is a connectionless
protocol after all. IP assumes that most of the error checking will be done by the
higher level protocols such as TCP.
Bytes 14 to 20
The first four make up the source IP address and the last 4 bytes make up the
destination IP address :
C2 7E 57 A5 > 194.126.87.165
D1 01 EC 1A > 209.1.236.26
000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E.
010 05 DC 1D E4 40 00 7F 06 C2 6D 0A 00 00 02 0A 00 ....@....m......
020 01 C9 00 50 07 75 05 D0 00 C0 04 AE 7D F5 50 10
...P.u......}.P.
030 70 79 8F 27 00 00 48 54 54 50 2F 31 2E 31 20 32
py.'..HTTP/1.1.2
040 30 30 20 4F 4B 0D 0A 56 69 61 3A 20 31 2E 30 20
00.OK..Via:.1.0.
050 53 54 52 49 44 45 52 0D 0A 50 72 6F 78 79 2D 43
STRIDER..Proxy-C
060 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D
onnection:.Keep-
070 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C
Alive..Content-L
080 65 6E 67 74 68 3A 20 32 39 36 37 34 0D 0A 43 6F
ength:.29674..Co
090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74
ntent-Type:.text
0A0 2F 68 74 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 4D
/html..Server:.M
0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30
icrosoft-IIS/4.0
0C0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 35 20
..Date:.Sun,.25.
0D0 4A 75 6C 20 31 39 39 39 20 32 31 3A 34 35 3A 35
Jul.1999.21:45:5
0E0 31 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61
1.GMT..Accept-Ra
0F0 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 4C 61 73
nges:.bytes..Las
100 74 2D 4D 6F 64 69 66 69 65 64 3A 20 4D 6F 6E 2C
t-Modified:.Mon,
110 20 31 39 20 4A 75 6C 20 31 39 39 39 20 30 37 3A
.19.Jul.1999.07:
120 33 39 3A 32 36 20 47 4D 54 0D 0A 45 54 61 67 3A
39:26.GMT..ETag:
130 20 22 30 38 62 37 38 64 33 62 39 64 31 62 65 31
."08b78d3b9d1be1
140 3A 61 34 61 22 0D 0A 0D 0A 3C 74 69 74 6C 65 3E
:a4a"....<title>
150 53 6E 69 66 66 69 6E 67 20 28 6E 65 74 77 6F 72
Sniffing.(networ
160 6B 20 77 69 72 65 74 61 70 2C 20 73 6E 69 66 66
k.wiretap,.sniff
170 65 72 29 20 46 41 51 3C 2F 74 69 74 6C 65 3E 0D
er).FAQ</title>.
180 0A 0D 0A 3C 68 31 3E 53 6E 69 66 66 69 6E 67 20
...<h1>Sniffing.
190 28 6E 65 74 77 6F 72 6B 20 77 69 72 65 74 61 70
(network.wiretap
1A0 2C 20 73 6E 69 66 66 65 72 29 20 46 41 51 3C 2F
,.sniffer).FAQ</
ment.answers.que
1D0 73 74 69 6F 6E 73 20 61 62 6F 75 74 20 74 61 70
stions.about.tap
1E0 70 69 6E 67 20 69 6E 74 6F 20 0D 0A 63 6F 6D 70
ping.into...comp
1F0 75 74 65 72 20 6E 65 74 77 6F 72 6B 73 20 61 6E
uter.networks.an
...
10
In the hexdump shown above and decode, the "Time to Live" field of 0x7F is
underlined. This is how a protocol decode works: it pulls each of the fields out of the
packet and attempts to explain what the numbers mean. Some fields are as small as a
single bit, other span many bytes.
A "protocol analyzer" will then take this hexdump and interpret the individual
fields
ETHER: Destination address : 0000BA5EBA11
ETHER: Source address : 00A0C9B05EBD
ETHER: Frame Length : 1514 (0x05EA)
ETHER: Ethernet Type : 0x0800 (IP)
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: Total Length = 1500 (0x5DC)
IP: Identification = 7652 (0x1DE4)
IP: Flags Summary = 2 (0x2)
11
12
Internet
Router
Alice
Bob
Sniffer
Fig. 3.1 An Ethernet Setup
Alice has IP address: 10.0.0.23
Bob has IP address: 192.168.100.54
In order to talk to Bob, Alice needs to create an IP packet of the form
10.0.0.23
192.168.100.54
Destination MAC
Source MAC
08 00
IP
. packet
CRC
Fig.3.2 An Ethernet Frame
What this means is that the TCP/IP stack in Alice's machine might create a
packet that is 100 bytes long (let's say 20 bytes for the IP info, 20 bytes for the TCP
13
info, and 60 bytes of data). The TCP/IP stack then sends it to the Ethernet module,
which puts 14 bytes on the front for the destination MAC address, source MAC
address, and the ethertype 0x0800 to indicate that the other end's TCP/IP stack should
process the frame. It also attaches 4-bytes on the end with a checksum/CRC (a
validator to see if the frame gets corrupted as it goes across the wire).
The adapter then sends the bits out onto the wire. All hardware adapters on the
wire see the frame, including the routers adapter, the packet sniffer, and any other
machines. Proper adapters, however, have a hardware chip that compares the frame's
"destination MAC" with its own MAC address. If they don't match, then it discards
the frame. This is done at the hardware level, so the machine the adapter is attached to
is completely unaware of this process.
When the ROUTER ethernet adapter sees this frame, it reads it off the wire and
removes the leading 14-bytes and the trailing 4-bytes. It looks at the 0x0800 ethertype and
decides to send it to the TCP/IP stack for processing (which will presumably forward it to the
next router in the chain toward the destination).
machine is supposed to see the Ethernet frame, and all other machines are supposed to ignore
it. The sniffer, however, breaks the rules and copies the frame off the network, too.
Windows NT IP Configuration
Host Name . . . . . . . . . : www.yahoo.com
DNS Servers . . . . . . . . : 192.0.2.254
Node Type . . . . . . . . . : Hybrid
NetBIOS Scope ID. . . .:
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No
Ethernet adapter SC12001:
Description . . . . . . . . : DEC DC21140 PCI Fast Ethernet Adapter
Physical Address. . . . . . : 00-40-05-A5-4F-9D
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . . . : 192.0.2.160
Subnet Mask . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 192.0.2.1
Primary WINS Server . . : 192.0.2.253
3.4 RMON
RMON (Remote MONitoring) is an SNMP-based standard that allows
management of network traffic.
SNMP is the standard way of remotely managing devices. In a typical
network, you have routers, hubs, switches, backup power supplies, servers, mail
gateways, and so forth. In a modern network, all these devices can be remotely
managed with a centralized console. The console sends SNMP commands to monitor
their status, to reconfigure them, and receive alerts from them.
Of course, each of these devices accepts different commands and support different
parameters that can be monitored. For a router, you might be concerned with the rate
that packets are being forwarded. For a hub, you might want to monitor for any
cabling faults on the ports. For backup power supply, you will want to monitor the
voltage of the power being supplied. The collection of monitorable/changeable
parameters are stored in a virtual database called a MIB (Management Information
Base).
RMON is just another SNMP MIB. The item that this MIB manages is the
traffic on the wire. In other words, we aren't talking about managing a real thing, but a
virtual device.
3.4.1 Does RMON function as a remote sniffer?
15
In a pinch, RMON can be used to remotely sniff traffic. The problem is that it
isn't very good at it. For example, with today's sniffing products, you can easily do a
packet capture of all traffic and save it real time to gigabyte disk drives. If you try to
do that with RMON, you'll find difficulties in trying to transfer all that data back to
your management console. One way to reduce this data is to set packet capture filters.
However, filtering is extremely weak in RMON. If you want to do sniffing, don't rely
upon RMON to do it for you.
On the flip side, there is a big security concern that RMON is so pervasive on
equipment throughout the Internet that you can often find open RMON probes that
will allow remote sniffing. Again, it won't provide very good sniffing capabilities, but
it will be good enough.
3.4.2 Limitations of RMON:
First of all, RMON suffers from the basic problems of SNMP. SNMP has
always been a "checkbox" item that customers always want in their products, but
which vendors don't spend a lot of time on. Thus, basic activities work within SNMP,
but it never quite reaches the hype. Likewise, while there are a ton of products out
there that support RMON, they don't always work correctly. Indeed, since RMON is
so resource intensive, you will often find that heavy use of RMON crashes the remote
device. Second of all, RMON is extremely resource intensive.
16
Operation: Request
Alice: 192.0.2.173
Bob: 192.0.2.1
00-40-05-A4-79-32
?? ?? ?? ?? ?? ??
Alice
Alice
Alice
Alice
Bob
Bob
Bob
Bob
Charles
17
Now Bob has an IP packet to send to Alice. In theory, Bob would need to ARP Alice
in order to find her MAC address. But he doesn't. This is because he has remembered
her MAC address information that was sent in the original ARP request.
In fact, everyone on the local Ethernet saw that request since it was
broadcasted. So if Charles at this point wants to ping Alice, he doesn't need to ARP
her either, even though he wasn't involved with the original exchange.
Broadcasts are sent to everyone on an Ethernet switch. Therefore, you can
subvert the switch by sending out ARPs claiming to be somebody else as the source
address. You can broadcast out an ARP claiming to be the router, in which case
everyone will try to route through you. Or you can send an ARP request just to the
victim's MAC address, claiming to be the router, at which point just the victim will
forward packets to you. Conversely, you can send an ARP to the router's MAC
address claiming to be the victim.
In all these cases, you must be prepared to forward packets in the real
direction, otherwise you cut off communication.
18
what you want to do. You may want to subvert an authenticated connection, in which
case you DoS (Denial of Service) the victim (taking it offline), redirect the switch,
and continue on with the connection as if nothing happened. For example, let's say
that Alice has a Telnet connection to the BOB server. You DoS Alice's machine, taking
her off line. You then send out packets with Alice's MAC address, causing the switch
to send you all packets destined for her. In order to pick up her connection, you cause
the server to send you a TCP packet (i.e. use the talk service to prompt her for a
connection). At this point, you simply start reversing the sequence and
acknowledgement numbers to continue the Telnet connection.
Another solution to this problem is to "sample" traffic. Send out packets with
the victim's MAC on occasional intervals. You'll likely get the next few packets
destined for the victim, but the victim will timeout and recover the connection. The
victimized user will notice occasional network delays.
A similar solution is that when you receive an incoming packet, turn around
and broadcast it back out. This way the victim still receives the packet. A steady
stream of outgong traffic and broadcasts of the incoming traffic will allow you to
recover a good percentage of the original traffic.
19
20
21
22
23
5. Remember that NOBODY should see this packet, because as the frame
goes down the wire, each Ethernet adapter matches the MAC address with
their own MAC address. If none matches, then they ignore the frame.
6. If you see the response, then the suspect wasn't running this "MAC address
filter" on the card, and is hence sniffing on the wire.
There are ways defending against this. Now that this technique is widely
publicized, newer hackers will enabled a virtual MAC address filter in their code.
Many machines (notably Windows) have MAC filtering in drivers. (There is a hack
for Windows: most drivers just check the first byte, so a MAC address of FF-00-0000-00-00 looks like FF-FF-FF-FF-FF-FF (the broadcast address which all adapters
accept). However, some adapters implement multicast in such as way that this address
will match as a multicast, which is any address whose first byte is an odd number.
Thus, this can result in false positives).
This technique will usually work on switched/bridged Ethernets. When
switches see an unknown MAC address for the first time, they will "flood" the frame
to all segments.
24
1. Encryption
(as well as a host of other equipment) should be able to use the same wireless
infrastructure. For example, a person with a Nokia wireless PCMCIA adapter in their
notebook should be able to connect via TCP/IP to an AirPort base station (and be
configured automatically via DHCP). There are two IEEE 802.11 standards, one for
2-mbps and one for 11-mbps. This discussion focuses on the 2-mbps standard.
Spread Spectrum
The first question dealing with sniffing is the signaling. This wireless standard uses
"spread spectrum" technology.
* Rather than transmitting data at a single frequency, data is transmitted over a
range of frequencies.
* This makes it more immune to electronic noise.
* It allows many users to share the same spectrum like cellular. In fact, CDMA,
a cellular technology, uses spread spectrum, where each "code" (code division
multiplexing) determines the sequence used to "spread" the signal.
* In theory, spread-spectrum makes it impossible to eavesdrop. The
eavesdropper would need to know the "spreading" function used.
Spread-spectrum technology came out of the cold war as a way of sending
signals that were near impossible to eavesdrop on. The theory is that an
eavesdroppper only hears whitenoise, and that even proving there is a signal could be
difficult.
However, this assumed that you could securely communicate the "spreading
function" to both the transmitter and receiver. This isn't reasonable in consumer-grade
products that we'll be buying. The keys will be distributed manually. Moreover, there
aren't that many keys. The upshot is that spread-spectrum has little impact as an antisniffing countermeasure. To be fair, it isn't intended to be -- it's used in wireless
communication for its anti-noise, bandwidth-sharing capabilities. Security will be
accomplished via standard digital encryption techniques.
The spectrum used by the standard is 2.400 GHz to 2.4835 GHz, though in
theory different frequencies are defined for Japan and Europe.
Signal range
Roughly 100-meters (300-feet) indoors and 300-meters (1000-feet) outdoors.
Estimates indicate that a base station will be able to communicate one floor in each
direction. In extreme office conditions, vendors are quoting about 20-meters.
26
However, with parabolic antennas, eavesdroppers can receive signals from much
further away.
In theory, any IEEE 802.11 compliant device can eavesdrop on all the packets
that are within range. (Though, of course, the may need to decrypt it as well).
Encryption
A method called "Wired Equivalent Privacy (WEP)" is used. This is based
upon the RC4 encryption protocol with 40-bit keys. This is essentially the same
protocol used by web-browsers for secure connections. RC4 supports up to 128-bit
encryption, but the 802.11 standard is at 40-bit encryption for export purposes. Some
vendors are providing more bits in the security key, for example Lucent is selling their
"WaveLAN Gold" cards supporting 128-bit encryption (though it appears that 128-bit
is available outside the US, not inside, as it was developed outside the US and Lucent
is protesting US export restrictions by not selling the stronger version inside the US).
WEP only protects the data portion. This means that a sniffing machine can
decode the physical layer transmissions, but must decrypt the data portion. WEP uses
a "shared-key" architecture. This is actually a very bad design, because it requires
users to enter in their keys in order to use the network. These keys will likely be based
upon passwords, which usually result in effective keys even less than 40-bits. In
contrast, web-browsers using SSL are able to encrypt data with no predetermined
shared key.
WEP is optional, by default it is turned off. We will have to see in the future
how often it really is used. For example, WEP is not practical for "ad-hoc" networks
(peer-to-peer networks); it is more useful with the use of Access Points (APs). From
the look of it, vendors are selling the encryption feature as an "add-on" as well. This
bodes well for malicious packet sniffers. To summarize encryption: it will make
sniffing difficult, but not impossible. Most people won't use encryption, but even then
it will be easy to decrypt the 40-bit encrypted messages. Specialized hardware could
be built to recover the key in near real time, but also distributed computing power
(like http://www.distributed.net/) can also be used to recover keys. In particular,
because the data portion is very well known (IP headers), it is susceptible to a "known
plaintext" attack.
Access
A security concern related to sniffing is simple access. Someone can walk into
a building with a notebook computer, which can connect to the network behind the
27
firewall. Internal networks tend to be insecure, so this is a real danger. The WEP
protocol has a number of features to prevent this, such as the ability to hard-code
MAC addresses into the base-stations specifying who may connect to the network.
Roving
Users can rove around a network, and be handed off from area-to-area much
like cell-phones. A unit maintains the same MAC address and IP address, but changes
who it's talking to. This means that the backbone to handle this has to be switched
Ethernet or ATM with VLANs. In theory, you could walk around a company and have
your notebook beep at you as soon as it finds an area where computers are talking
unencrypted.
Airports
Several companies are equiping places like airports with access stations that allow
you to surf online. The WEP protocol as no support for this type of authentication
(shared secrets suck). These companies plan on charging connect time, but you could
equally have fun by sitting down with your notebook and sniffing everyone else
connected to the web. Have fun reading their e-mail, eavesdropping on their
chatrooms, and the like.
28
This will now set the network interface eth0 in promiscous mode.
/************************simple_Tcp_sniff.c********************/
1.
#include <stdio.h>
2.
#include <sys/socket.h>
3.
#include <netinet/in.h>
4.
#include <arpa/inet.h>
5.
#include "headers.h"
6.
int main()
7.
8.
9.
char buffer[65535];
10.
11.
struct ip *ip;
12.
13.
14.
15.
while(1)
16.
17.
18.
19.
20.
21.
ip = (struct ip *)buffer;
22.
23.
24.
25.
26.
27.
28. }
/***********************EOF**********************************/
What this means :
29
Line 1-4 :
These are the header files required to use some needed c functions we will use later
<stdio.h>
<arpa/inet.h>
order conversions
Line 5 :
This is the header file headers.h that is also included with this program to give
standard structures to access the ip and tcp fields. The structures identify each field in
the ip and tcp header for instance :
struct ip {
unsigned int
ip_length:4;
unsigned int
ip_version:4;
unsigned char
ip_tos;
/* type of service*/
unsigned short
ip_total_length;
unsigned short
ip_id;
unsigned short
ip_flags;
unsigned char
ip_ttl;
/*identification field*/
/*time-to-live, sets upper limit
for max number of routers to
go through before the packet is
discarded*/
unsigned char
ip_protocol;
unsigned short
ip_cksum;
unsigned int
ip_source;
/*source ip */
unsigned int
ip_dest;
/*dest ip*/
};
struct tcp {
unsigned short
tcp_source_port;
unsigned short
tcp_dest_port;
30
unsigned int
tcp_seqno;
unsigned int
tcp_ackno;
unsigned int
tcp_res1:4,
/*little-endian*/
tcp_hlen:4,
tcp_fin:1,
tcp_syn:1,
/*Synchronize sequence
numbers to start a connection
tcp_rst:1,
/*Reset flag */
tcp_psh:1,
tcp_ack:1,
/*acknowledge*/
tcp_urg:1,
/*urgent pointer*/
tcp_res2:2;
unsigned short
tcp_winsize;
unsigned short
tcp_cksum;
unsigned short
tcp_urgent;
};
Line 8-13 :
This is the variable declaration section
integers :
sock
bytes_recieved
fromlen
buffer
31
sin_family;
/* Address family */
sin_addr;
/* Port number
*/
/* Internet address */
};
Before we go any further two topics should be covered,byte-ordering and
sockaddr
structures. Byte-ordering,is the way that the operating system stores bytes
in memory. There are two ways that this is done first with the low-order byte at the
starting address this is known as "little-endian" or host-byte order. Next bytes can be
stored with the high order byte at the starting address, this is called "big-endian" or
network byte order.
The Internet protocol uses >>>>>> network byte order.
This is important because if you are working on an intel based linux box you
will be programming on a little-endian machine and to send data via ip you must
convert the bytes to network-byte order. For examle lets say we are going to store a 2byte number in memory say the value is (in hex) 0x0203.
The next topic that one must understand is the sockaddr vs. the sockaddr_in
structures.
The struct sockaddr is used to hold information about the socket such as the
family type and other address information it looks like :
struct sockaddr {
unsigned short sa_family;
/*address family*/
char
/*address data*/
sa_data[14];
};
The first element in the structure "sa_family" will be used to reference what
the family type is for the socket, in our sniffer it will be AF_INET. Next the "sa_data"
element holds the destination port and address for the socket. To make it easier to deal
with the sockaddr struct the use of the sockaddr_in structure is commonly used.
Sockaddr_in makes it easier to reference all of the elements that are contained by
sockaddr.
32
sin_family;
sin_addr;
/* Address family
/* Port number
/* Internet address
*/
*/
*/
};
We will use this struct and declare a variable "from" which will give us the
information on the packet that we will collect from the raw socket. For instance the
var "from.sin_addr" will give access to the packets source address (in
network byte order). The thing to mention here is that all items in the sockaddr_in
structure must be in network-byte order. When we receive the data in the
sockaddr_in struct we must then convert it back to Host-byte order. To do this we can
use some predefined functions to convert back and forth between host and network
byteorder.
Here are the functions we will use:
ntohs
ntohl
=inet_ntoa(from.sin_addr)
Line 11-12:
struct ip *ip :
33
SOCK_DRAM
2.
SOCK_STREAM
3.
SOCK_RAW
4.
SOCK_PACKET
fields, to do this we must overlay a structure that has the fields predefined just as we
did with ip. There is one key difference here the ip header fields were easy to access
due to the fact that the beginning of the buffer was also the beginning of the ip header
as so :
|----------------------- buffer ----------------------------|
_________________________________________
ip header
^
* ip
^
* header
So to get access to the ip header we just set a pointer casted as an ip structure to the
beginning of the buffer like "ip = (struct ip *)buffer;". To get access to the tcp header
is a little more difficult due to the fact that we must set a pointer and cast it as a tcp
structure at the beginning of the tcp header which follows the ip header in the buffer
as so :
|----------------------- buffer ----------------------------|
ip header
tcp header
^
* tcp
This is why we use 4*ip->ip_length to find the start of the tcp header.
Line 25-26:
printf("Source port ::: %d\n",ntohs(tcp->tcp_source_port);
printf("Dest port ::: %d\n",ntohs(tcp->tcp_dest_port));
We can now access the source and dest ports which are located in the tcp header via
the structure as defined above. This concludes a simple tcp sniffer. This was a very
basic application that should help define how to access packets passing on the
network and how to use sockets to access the packets.
To use the above program, cut out the above code and strip off all of the line
numbers. Save the edited file as sniff.c. Next cut out the header file headers.h and
save it to a file headers.h in the same directory. Now just compile: gcc -o sniff sniff.c
You should now have the executable "sniff", to run it type
#./sniff
36
/*************************headers.h**************************/
/*structure of an ip header
*/
struct ip {
unsigned int
ip_length:4;
unsigned int
ip_version:4;
/*little-endian*/
unsigned char
ip_tos;
unsigned short
ip_total_length;
unsigned short
ip_id;
unsigned short
ip_flags;
unsigned char
ip_ttl;
unsigned char
ip_protocol;
unsigned short
ip_cksum;
unsigned int
ip_source;
unsigned int
ip_dest;
};
/* Structure of a TCP header */
struct tcp {
unsigned short
tcp_source_port;
unsigned short
tcp_dest_port;
unsigned int
tcp_seqno;
unsigned int
tcp_ackno;
unsigned int
tcp_res1:4,
/*little-endian*/
tcp_hlen:4,
tcp_fin:1,
tcp_syn:1,
tcp_rst:1,
tcp_psh:1,
tcp_ack:1,
tcp_urg:1,
tcp_res2:2;
unsigned short
tcp_winsize;
unsigned short
tcp_cksum;
unsigned short
tcp_urgent;
37
};
/*********************EOF***********************************/
WinDump
A version of tcpdump for Windows.
Echelon
Echelon for Dummies is a distributed sniffer which tries to show how the
"echelon" network could be designed. It uses sniffer servers that can be installed and
run on remote hosts, and will dig through local network traffic, using custom
pattern/keyword matching to find packets with interesting content, which are then
forwarded to a central loghost on which the logging daemon is run that gathers and
logs the data. For stealth purposes, Sniffers and the logger communicate via random
protocols and encryption, and are compatible to many Unix systems and NT.
Gobbler
The Gobbler is perhaps the best freeware DOS Ethernet sniffer. It can decode
the Ethernet, IP, TCP and UDP layers, as well as a few low-level protocols like ARP
and ICMP. The interface is notable because it's surprisingly easy to quickly browse a
dump looking for interesting packets. The source code is available, so in theory one
could extend it to your own needs, though I don't know if this is easy to do.
in this case is to encrypt the data, so that while they can sniff it, they cannot read it.
Some techniques are:
11.1 SSL
"Secure Sockets Layer", SSL is built into all popular web browsers and web
servers. It allows encrypted web surfing, and is almost always used in e-commerce
when users enter their credit card information.
E-mail can be sniffed in many alternative ways. It passes through corporate
firewalls, which may monitor the traffic. It often gets logged and saved for extended
periods of time. It may get accidentally misdirected, and end up in somebody else's
mailbox. The best way to keep such e-mail secret is to encrypt it.
run in promiscuous mode. There are also a few Ethernet where promiscuous mode is
broken, either in the hardware or in the driver. Actually, there are far more adapters
who simply lack the functionality in the driver in order to turn on promiscuous mode,
meaning all programs that attempt to put them into promiscuous mode will fail even
though the hardware supports the mode in theory. But in the Intel/Microsoft "PC99"
guidelines, promiscuous mode is a "required" feature. If this is a concern, it will be
cheaper in the long run simply to upgrade to switching hubs, which basically does the
same thing. An Ethernet switch moves the "address match" upstream, so that the
switch does it rather than the adapter. Finally, it should be noted that most new
networks are switched in some fashion. Even though hackers cannot sniff an entire
Ethernet segment, they still install sniffers on machines in order to see the
incoming/outgoing traffic. A non-promiscuous adapter won't help defend against this.
Non-promiscuous Interface Cards are:
A tool from The Apostols that detects packet sniffers running on the local
PromiscDetect
PromiscDetect for Windows NT 4.0 / 2000 / XP checks if your network adapter(s) is
in promiscuous mode or not (that is, in most cases, if a sniffer is running on the
computer or not). Of course the attacker might be intercepting the communication
between the tool and the adapter, making the result unreliable, but there are probably
many more cases out there where the tool will really detect a sniffer.
12. Conclusion
Thus Sniffers capture packet traffic across a network, usually an Ethernet. These can
be placed surreptitiously on your drives. A sniffer can catch all packet traffic on a
particular network block (or segment). Prevention of compromise is a two-fold
process: encryption and compartmentalization. Encrypted communications can be
used to prevent the capture of passwords if a sniffer attack is underway. It can be
assert that one can benefit greatly by running a sniffer on a network, even if only for a
day. This will familiarize him with what problems are faced to implement various
attacks. Also, if one is proficient with a sniffer, one can see for himself what type of
information can actually be gleaned from your particular network configuration
Bibliography
41
[1] The Internet Protocol Journal (IPJ), Volume 2, Number 2, June 1999, Firewalls
and Internet Security, the Second Hundred (Internet) Years by Frederick Avolio,
Avolio Consulting, Inc.
[2] UltimateSniffin' the Ether v2_0. http://networking.earthweb.com
[3] Tapping across a network. http://www.wiretapped.net/
[4] Sniffer Packages. http://packetstormecurity.org and http://www.wiretapped.net
[5] Sniffers the Network Analyzers http://www.networkingunlimited.com
[6] Beej's Guide to Network Programming. http://www.ecst.csuchico.edu/~beej/
[7] TCP/IP Illustrated Vol 1,2,3 - W.Richard Stevens
42