Sniffer

Sniffer, is a kind of passive protected reliably against detective based on principle of network analysis method. Use this technique means, can monitor the network state, data flow and Internet transmission of information.

introduction

When the information in the form of expressly on the network transmission, they can use network monitoring ways to attack. Will network interface set in monitoring mode, can online transmission constant flow of information intercepted. Sniffer technology are often hackers to intercept user's password, it is said that a backbone network router nets section once hackers scored, and Sniffer to many user password. But actually Sniffer technology has been widely used in network fault diagnosis and protocol analysis and application performance analysis and network security, etc.

The principle

Below will be detailed introduction Sniffer principles and applications.

Sniffer principle

Network technology and equipment introduction

In telling the concept of Sniffer before, we first need to tell LAN equipment of some basic concepts.

Data on the Internet at very small called frame unit transmission, frame by a few parts, different parts of performing different functions. Frame through specific called network driver software for molding, and then through the network card sent to string string arrive, by their purpose machine, in the purpose of end execution instead of machine process. The receiver machine ethercard captures these frames, and tell the operating system frame has come, and then carry on the storage. It is in this transmission and reception process, sniffer brings safety problems.

Each on the LAN workstation has its hardware addresses that only to express on a network of machine (this point and Internet address system compare similar). When the user sends a packet, the packet will be sent to the LAN on all available machine.

If use on/which based on sharing network, under the situation of network on all the machines that can hear through traffic, but to do not belong to own packet do not grant to respond (in other words, the workstation A not capture belongs to the workstation B data, but simply ignore these data). If a workstation network interface in mixed mode (about the concept of hybrid model will behind to explain), so it can capture network on all the packet and frame.

But modern network often use switches used as network connection device hub, normally, switch will not let every host computer network protected reliably against detective to other host communications, therefore Sniffer technology at this time must combine network port mirror technology inclination. And derivative security technology, through the ARP deception to achieve exchange network in disguised protected reliably against detective.

Network monitoring principle

Sniffer program is a use of the characteristics of the Ethernet network adapter card (NIC, generally for ethercard) both promiscuous) mode for mixed and disorderly (state tools, once the NIC Settings for this kind of mode, it can receive transmitted over the Internet each packet.

Ordinary circumstances, nic receive only and your address relevant packets and transmission to the local host packets. To make Sniffer can receive and deal with this way of information, BPF, Linux system needs support under a PACKET SOCKET need support. But usually, the network hardware and TCP/IP stack doesn't support receiving or sending and local computer irrelevant data packets, therefore, to the bypass standard TCP/IP stack, nic must be set as we've just begun to speak of mixed mode. Under normal circumstances, in order to activate this way, the kernel must support the pseudo equipment Bpfilter, and require root access to run this program, so need root identity sniffer installation, if only to local users' identity into the system, so impossible to root password call agent, because cannot run sniffer.

Also have based on wireless network, the wide-area networks (DDN, FR), even the light network (POS) Fiber any monitoring technology, at this time the slightly different in Ethernet networks, including the capture concept will introduce usually TAP (test intervention point) this kind of hardware equipment for data acquisition.

classification

Sniffer are divided into two kinds of software and hardware, software, a Sniffer have Sniffer Pro hand, PacketBone etc, its advantage is easy to install deployment, easy to learn to use, also easy to exchange; Defect is unable to grab all the transmission network, in some cases cannot be truly understand the network fault and operation. Hardware Sniffer often called protocol analyzer, are generally commercial, the price also relatively expensive, but will have support various extensions of the link ability to capture and high-performance data real-time capture analysis function.

Based on Ethernet networks of Sniffer Sniffer can grab a physical network segment within the bag, in other words, you and the true goal middle cannot have the routing or other shielding broadcast packets equipment, it is very important. Therefore, to general dial-up Internet users, it is impossible to use Sniffer to eavesdropping to someone else's communication content.

The purpose of the monitoring network

When a hacker successfully conquered a host, and get a root access, but also want to use this one host to attack the same (physical) segment of the others on the host, he will in this one host Sniffer installation software, to Ethernet devices to send packets are protected reliably against detective found, so interested in bag. If found qualified bag, it endures a LOg file. Usually set of these conditions are contain words "so" or "password" bag, this bag usually have hackers interested password such things. Once the hacker intercept got a station host password, he would immediately enter this one host.

If Sniffer running on a router or routing functions hosts, and is able to monitor a large amount of data, because all access network packets are through router.

Sniffer belongs to the second M levels of attack. Say, only in the attacker has entered the target system circumstances, can use Sniffer that attack means, in order to get more information.

Sniffer besides can get password or user name outside, still can get more other information, such as an important information, online transmit financial information, etc. Sniffer almost can get any on the ethernets transmit packets.