Series Sniffing – Part 1: Overview of Sniffing

Tram Ho

Hi, next to the basic articles, I will try to focus on the series of articles on the basics of hacking so that people can grasp and understand from the simplest things. That's why we chose Sniffing as the first topic to write. The whole series of this article is shared by a student who is studying about ATTT at KMA, I will put this Facebook link at the end of the article for everyone to follow.


  1. Definition of sniffing

  2. Sniffing concept

Sniffing is a program that listens on networks to transmit data. Sniffing allows individuals to capture data as it travels over the network. This technique is used by network experts to diagnose network problems and by users with malicious intent to collect unencrypted data, such as passwords and usernames. If this information is recorded in the process, the user can access the system or network.

Sniffer started out as a product of Network Associates called Sniffier Analyzer.

The data that Sniffing captures are those in binary form. Therefore, to eavesdrop on and understand the data in this binary format, Sniffing programs must have features known as Protocol Analysis, as well as Decode. The data is in binary form and in a different form to understand them.

The Sniffing object is:

  • Password (from Email, Web, SMB, FTP, SQL or Telnet)

  • Credit card information

  • Text of Email

  • Mobile files on the network (Email, FTP or SMB files)

  1. Uses

Sniffing is often used for two different purposes.

  • Positive:
  • Convert data on the line so that the administrator can read and understand the meaning of those data.

  • By looking at system traffic, it is possible for an administrator to analyze the error being made on the network traffic system.

  • Some advanced sniffing features automatic detection and alerting of attacks being made to the network it is operating on. (Intrusion Detecte Service)

  • Record information about data packets, transmissions … Help administrators can review information about data packets, transmissions after incidents … For analytical work, troubleshoot network problems.

  • Negative:
  • Wiretapping online to get important information.
  1. Protocols can use Sniffing
  • Telnet and Rlogin: records information such as passwords, usernames

  • HTTP (HyperText Transfer Protocol): The data sent is not encrypted

  • SMTP, NNTP, POP, FTP, IMAP: Password and data sent without encryption.

  1. How Sniffing works

Ethernet technology is built on a shared principle. According to this concept, all computers on the local network can share the network connection of that network. In other words, all computers are able to see the data traffic transmitted by that network. Thus Ethernet hardware is built with the ability to filter and ignore all data that is not in line with it.

It does this in principle ignoring all frames that have an invalid MAC address for it. When Sniffing is turned off this filter and use the mode mixed (Promiscuous Mode). It can see all the traffic from machine B to machine C, or any information flow between any machine on the network. As long as they are on the same network.

In the Hub environment: A packet frame when transferred from machine A to machine B, at the same time it sends to all other computers connecting to the Hub according to the broadcast mechanism. Other devices that receive this packet will compare the request for the MAC address of the packet frame with the destination address. If they are duplicated, they will receive them, otherwise they will pass. Because the packet from A is sent to B, when comparing, only B is the same as the destination address, so only B will receive it.

Based on that principle, the machine is installed eavesdropping program will "automatically" receive any packets that are circulated in the network through the Hub, even if the destination destination packet is not it, by the sniffer switch card The network is in promiscuous mode. Promiscuous mode is a special mode. When the network card is put under this mode, it can receive all packets without being bound to check the destination address.

In the Switch environment: Unlike the Hub, the Switch only transmits packets to the specified port addresses in the switchboard, so eavesdropping on a "self-confessed" type like the Hub doesn't work. However, an attacker can use other mechanisms to attack in a switch environment such as ARP spoofing, MAC spoofing, MAC duplicating, DNS spoofing, etc.

  1. Classification Sniffing:

    1. Active

Mainly operating in environments where there are packet switches, nowadays the most common types of switches are Switch. The attacker performed sniffing based on ARP and RARP mechanisms (two mechanisms convert from IP to MAC and from MAC to IP) by transmitting poison packets, which in particular is transmitting packets inform the sender as "I am the recipient", not the "recipient". In addition, the sniffer can also use the method of spoofing the MAC address, changing its MAC to a valid machine's MAC and through the device's MAC filtering function, thereby forcing data to flow through the network card. mine. However, because the packet has to be sent, it takes up bandwidth. If you sniffing too many machines in the network, the amount of outgoing packets will be very large (due to constant sending of fake packets), which can lead to network congestion.

    1. Passive:

Mainly operating in an environment where there are no packet switches, the most common type of network is Hub. Because there are no packet switches, the packets are broadcast in the network. Therefore, the implementation of sniffing is quite simple. The attacker doesn't need to send out any spoof packets, just catch the packets from the Port (even though the host receiving the packet is not the destination of that packet). This form of sniffing is difficult to detect because the machines broadcast the packets themselves. Today this form is rarely used because the Hub is no longer popular, instead of Switch.

  1. Forms of attack

Sniffing is a form of eavesdropping on online information to more effectively exploit network resources and track illegal information. However, later hackers use sniffing to get sensitive information, so it can also be considered as a form of hacking. There are many methods to perform sniffing, whether active or passive. The report will detail 6 sniffing attacks:

  • Listen for information through the Hub

  • MAC attack

  • DHCP attack

  • Block information using ARP- Poisoning

  • Block information using DNS- Spoofing

  • VLAN Hopping

Through part 1 of this article, hopefully everyone has the most overview of the Sniffing attack method, in the later sections of this article, I will explain it more clearly for everyone to have a closer look at Sniffing. .

As mentioned above, I leave the Facebook link of the author of this series, everyone can make friends with each other:

Author: Hoang Son Ha

Wish you all good study ❤️

Source of the article:

Share the news now

Source : Viblo