[Part 1] – Networking Sniffing and How to Defend Against It

April 7, 2016 | Views: 7075

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

One of the first dangers on networks is that some people can “play” content that’s not intended for them. In a network in broadcast mode (WiFi or Ethernet using a hub), anyone can read the packets of all. As with Ethernet, promiscuous mode for the network card does not filter packets that do not match the MAC address of the machine.


The Risks

Here’s a very short list of information that circulates on the network:

  • SMTP, POP, IMAP email content
  • POP, IMAP, HTTP Basic, Telnet passwords
  • HTTP: page content has restricted access
  • SMB, NFS, FTP: File Contents
  • SQL: table contents

We can access information that’s needed, without having to get into the system … We must not forget that many people use the same password everywhere.


How a Sniffer Works

On a hub or WiFi, there’s nothing special to do. One can also do it on a router or gateway.

In the case of a switch, it’s a little different. You should know that switches send packets destined for the broadcast that have MAC addresses not listed in their ARP table (this is often configurable). One can impersonate another machine during the applications of updates to MAC addresses by the switch, and play the role of bridge (then, not to cut the original machine network).

An easier technique to establish is overwhelming the switch by adding queries, as the table of the switch has a limited size – this one will end up behaving like a hub. This technique creates a strong montee in charge of traffic.

We can also forge an ARP request that redefines the default gateway of the switch (http://naughty.monkey.org/~dugsong//dsniff/).

Finally, there are other basic techniques if one has physical access to the switch (port monitoring).

As you know, sniffing can also be used to detect suspicious network traffic.


How to Detect Sniffing

Since this technique is passive, it’s quite difficult to detect. You can see if a network card is in promiscuous mode, because these cards meet some MAC addresses that do not exist on the network. By forging an ARP request with a destination MAC address not on broadcast, with a fake MAC  address, promiscuous mode card traffic will not be filtered, and the kernel will answer it anyway. This technique does not work if the machine in promiscuous mode has no IP or if the machine is not accessible with ARP requests.

In the case of ARP spoofing, using a tool like arpwatch logge will show all suspicious ARP requests immediately.

The best solution is still to encrypt its communications (HTTPS, SSH, VPN…).


Thanks and I hope this will be helpful to you.

By: Antr4ck

You might also enjoy Networking Sniffing and How to Defend Against It [Part 2]








Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thanks for the article!

  2. Nice article, thank you

  3. Thanks(:

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?