Understand These 4 Network Traffic Capture Tools
Traffic capture, which also is referred to as packet capture, is one activity of Penetration Testing (pentesting)*.Pentesting allows the pinpointing of vulnerabilities on a network and provides identification of suspicious packets moving across the network. Being able to Identify routine network traffic is also valuable because it provides a look at how a normal network environment operates, making it easier to identify anomalies and vulnerabilities. During traffic capture (or packet capture), a data packet that is moving over a computer network is intercepted. After the packet is captured, it's analyzed to diagnose and solve any problems – most likely security problems – that exist on the network. (Or, if it is captured for nefarious purposes – see the paragraph below – the data may be stolen or compromised). When leveraged as a part of the pentesting described above, traffic capture is used on network traffic that you're authorized to access. Traffic capture can also include traffic not intended for your network. In other words, it provides a way to see traffic that may be encrypted and that is intended only for specific users. Hackers may use packet capturing techniques to obtain and monitor data that would not necessarily come to them under normal circumstances. Network Managers and Administrators rely on many traffic capture tools to manage and analyze their overall network traffic and performance. These tools also may be used to hack the network. 4 of them are described below: 1) WIRESHARKThe first traffic capture tool discussed is Wireshark (formerly known as Ethereal; it became Wireshark since 2006). Wireshark is a free and open source, fully-featured, network protocol analyzer (also known as a “network sniffer”) that's used to monitor traffic on a network. Because it is an open source program, it has benefited from the network developers worldwide who have contributed to it. Wireshark allows the user to set up a domain controller. It acts as a viewing tool, supported by a graphical user interface (GUI), and uses various user-chosen information filtering features to assess vulnerable systems and files. With Wireshark, a user can see and capture all traffic passing over a given network. 2) ADDRESS RESOLUTION PROTOCOL (ARP)ARP is a tool that's used to translate IP addresses into MAC address of network adapters. Then, it tells the hosts where to send the traffic.Since there's no requirement in the computer world for machines to tell the truth, ARP can be used for spoofing, allowing the user to see the traffic between two other computers. ARP will trick hosts into sending traffic to the wrong place so that the traffic can be captured in Wireshark.One downside: it can cause a denial of service condition, which may slow down or completely bring down a system. Therefore, the spoof must be set up so traffic keeps going to the correct machine and doesn't stop permanently at the intercepting machine. 3) DOMAIN NAME SERVICE (DNS)DNS is a tool that is used to translate domain names (such as aaa.com) into its IP address. The Domain Name Service tells the host where to send traffic when called by its domain name. This isn't the only way to illicitly bring people to a specific website; it's just one tool for doing so.Once again, since there is no requirement for machines to tell the truth, DNS can be used for spoofing (there is a DNS SPOOF tool), and it can be used in conjunction with ARP spoofing.DNS spoofing, also called DNS cache poisoning, is a computer hacking attack in which data are introduced into a DNS resolver's cache. This causes the name server to return an incorrect IP address and diverts traffic to the attacker's computer (or to any other specified computer). 4) ETTERCAPEttercap is a free and open source network security tool for “man-in-the-middle”* attacks on Local Area Networks (LANs). Ettercap features include sniffing of live connections and content filtering on the fly. It supports active and passive dissection of many protocols (including encrypted ones) and includes many features for network and host analysis. Ettercap offers three interfaces:
- traditional command line
* -- Penetration testing (pentesting), which also is known as “security assessment”, can be defined as a method of testing, measuring, and enhancing established security measures on computer systems, networks, or Web applications to find vulnerabilities. (SOURCES: Techopedia and TechTarget).*A “man-in-the-middle” attack is one in which the attacker secretly intercepts and relays – and possibly alters -- messages between two parties who believe they are communicating directly with each other. The packets are viewed and/or modified by the perpetrator and sent on to the recipient, who is unaware of the intrusion. (SOURCES: TechTarget and PC Magazine).