In this article, let us discuss the basic aspects of sniffing and its types. Sniffing is considered to be a major cyber threat over network security. It is a generic attack that basically intercepts network traffic between two hosts.
In other words, sniffing may be defined as a method of capturing or monitoring data packets traveling through a computer network. Generally, sniffing is done between two hosts who are exchanging data between them. Packet sniffers reside in between them and monitor every packet traveling through the network. These packets are analyzed and captured sensitive data like usernames, passwords, email details, IP address, hardware address, routing information, etc.
Sniffing can be performed by network administrators to isolate and troubleshoot the problems on the network. It can also be done by someone with malicious intent to eavesdrop on network communication and capture sensitive data like user name, password, types of websites frequently browsed by the victim and other valuable information.
The network protocols that are more vulnerable to sniffing are :
- HTTP
- SMTP
- FTP
- POP
- IMAP
- Telnet
Sniffers use some special tools or software to capture the packets flowing between the two nodes. They are called the sniffing tools and the most popularly used are Wireshark, Kajak, Ettercap, Aircrack-ng, netsniff-ng, etc.
Types of Sniffing:
There are two major types of sniffing
- Passive sniffing
- Active sniffing
Passive Sniffing:
Passing sniffing attack usually occurs in a network where ethernet hubs are used as network device. Hub works at physical layer of OSI model. It contains a single broadcast domain. It works by broadcasting every packet, it receives as input and forwards to all other ports. The recipient responds to the broadcast packet, if destination IP address matches
Since, hub broadcast the message to all the ports, Passive sniffers can use any of these ports to intercept the broadcast message. The intercepted messages are analysed to get valuable infomation.
Passive sniffing is more dangerous because it is very difficult to trace such attack.
However, hubs are not in use now a days. They are mostly replaced by Ethernet switch. Hence, passive sniffing may be considered to be obsolete.
Active Sniffing:
Active Sniffing attack is possible in a network where Ethernet switches are used in place of hub. Switch works at Layer 2 of OSI model. Unlike hub, switch forwards data packets on the basis of MAC address that means switch performs a point to point communication between the two nodes.Packet is forwarded to only that port having destination mac address.
The mac address is a hardware address burned into NIC card when it was manufcatured. Hence each NIC card has its own unique mac addrress.
In such cases, sniffing is possible either injecting the IP traffic into the network in order to capture the IP packets transmitting between the nodes.
Else, NIC card has to set on promiscous mode. In this mode, NIC can capture every traffic flowing in and out of the network. In many cases, network administrator sets one of NIC adaptor in promiscous mode in order to capture and monitor unwanted and suspicious traffic.
Some of the Active sniffing techniques are:
- ARP poisoning
- MAC flooding
- DHCP attack
- DNS poisoning
