Sniffing: How It Is Done
In a
shared media network, such as Ethernet, all network interfaces on a network
segment have access to all of the data that travels on the media.
Each
network interface has a hardware-layer address (MAC Address) that should differ
from all hardware-layer addresses of all other network interfaces on the
network. Each network also has at least one broadcast address that corresponds
not to an individual network interface, but to the set of all network interfaces.
Normally, a network interface will only respond to a data frame carrying either
its own hardware-layer address in the frame’s destination field or the “broadcast
address” in the destination field. It responds to these frames by generating a
hardware interrupt to the CPU. This interrupt gets the attention of the
operating system, and passes the data in the frame to the operating system for
further processing.
Note The term “broadcast address” is
somewhat misleading. When the sender wants to get the attention of the
operating systems of all hosts on the network, he or she uses the “broadcast
address.” Most network interfaces are capable of being put into a “promiscuous
mode.” In promiscuous mode, network interfaces generate a hardware interrupt to
the CPU for every frame they encounter, not just the ones with their own
address or the “broadcast address.” The term “shared media” indicates to the
reader that such networks broadcast all frames—the frames travel on all the physical
media that make up the network.
At
times, you may hear network administrators talk about their networking trouble
spots— when they observe failures in a localized area. They will say a
particular area of the Ethernet is busier than other areas of the Ethernet
where there are no problems. All of the packets travel through all parts of the
Ethernet segment. Interconnection devices that do not pass all the frames from
one side of the device to the other form the boundaries of a segment. Bridges, switches,
and routers divide segments from each other, but low-level devices that operate
on one bit at a time, such as repeaters and hubs, do not divide segments from
each other. If only low-level devices separate two parts of the network, both
are part of a single segment. All frames traveling in one part of the segment
also travel in the other part.
The
broadcast nature of shared media networks affects network performance and
reliability so greatly that networking professionals use a network analyzer, or
sniffer, to troubleshoot problems. A sniffer puts a network interface in
promiscuous mode so that the sniffer can monitor each data packet on the
network segment. In the hands of an experienced system administrator, a sniffer
is an invaluable aid in determining why a network is behaving (or misbehaving)
the way it is. With an analyzer, you can determine how much of the traffic is
due to which network protocols, which hosts are the source of most of the
traffic, and which hosts are the destination of most of the traffic. You can
also examine data traveling between a particular pair of hosts and categorize
it by protocol and store it for later analysis offline. With a sufficiently
powerful CPU, you can also do the analysis in real time.
Most
commercial network sniffers are rather expensive, costing thousands of dollars.
When you examine these closely, you notice that they are nothing more than a
portable computer with an Ethernet card and some special software. The only
item that differentiates a sniffer from an ordinary computer is software. It is
also easy to download shareware and freeware sniffing software from the
Internet or various bulletin board systems.
Sniffing: How It Threatens Security
Sniffing data from the network leads to loss of privacy of several
kinds of information that should be private for a computer network to be
secure. These kinds of information include the following:
- Passwords
- Financial account numbers
- Private data
- Low-level protocol information
No comments:
Post a Comment