CHAPTER- 1

INTRODUCTION
1.1 Brief Overview of Packet Sniffing: Packet sniffing is a method
of tapping each packet as it flows across the network; i.e., it is a technique in
which a user sniffs data belonging to other users of the network. Packet
sniffers can operate as an administrative tool or for malicious purposes. It
depends on the user's intent. Network administrators use them for monitoring
and validating network traffic. Packet sniffers are basically applications. They
are programs used to read packets that travel across the network layer of the
Transmission Control Protocol/Internet Protocol (TCP/IP) layer. (Basically, the
packets are retrieved from the network layer and the data is interpreted.)
Packet sniffers are utilities that can be efficiently used for network
administration. At the same time, it can also be used for nefarious activities.
However, a user can employ a number of techniques to detect sniffers on the
network and protect the data from sniffers. The technique behind packet
sniffing on shared bus broadcast LANs is explained.

1.2 Description: Imagine this: you're sitting in your local coffee shop
sucking down your morning caffeine fix before heading into the office. You
catch up on your work e-mail, you check Facebook and you upload that
financial report to your company's FTP server. Overall, it's been a constructive
morning. By the time you get to work, there's a whirlwind of chaos throughout
the office. That incredibly sensitive financial report you uploaded was
somehow leaked to the public, and your boss is outraged by the crass and
unprofessional e-mail you just sent him. Was there some hacker lurking in the
shadows that broke into your company's network and decided to lay the blame
on you? More than likely not. This mischievous ne'er-do-well probably was
sitting in the coffee shop you stopped at and seized the opportunity. Without
some form of countermeasures; your data isn't safe on public networks. This
example is a worst-case scenario on the far end of the spectrum, but it isn't so
far-fetched. There are people out there who are capable of stealing your data.
The best defence is to know what you can lose, how it can get lost and how to
defend against it. Packet sniffing, or packet analysis, is the process of
capturing any data passed over the local network and looking for any
information that may be useful. Most of the time, we system administrators
use packet sniffing to troubleshoot network problems

Packet Sniffing

(Like finding out why traffic is so slow in one part of the network) or to detect
intrusions or compromised workstations (like a workstation that is connected
to a remote machine on port 6667 continuously when you don't use IRC
clients), and that is what this type of analysis originally was designed for. But,
that didn't stop people from finding more creative ways to use these tools. The
focus quickly moved away from its original intentso much so that packet
sniffers are considered security tools instead of network tools now. Finding out
what someone on your network is doing on the Internet is not some arcane and
mystifying talent anymore. Tools like Wireshark, Ettercap or NetworkMiner
give anybody the ability to sniff network traffic with a little practice or
training. These tools have become increasingly easy to use and continue to
make things easier to comprehend, which makes them more usable by a
broader user base.

CHAPTER-2
LITERATURE SURVEY
Packet Sniffing

2.1 Literature Review: This chapter reviews temporal relation of

network and internet technologies followed by in depth review of the
work related to network threats and security. A network is a conduit for
information; it can be as simple as two tin cans tied together with a string
or as complicated as the internet. Networks can develop at various levels:
individual (social network), organizational, inter-organizational, and
international etc. Castells explains that a network is constituted by the
intersection of segments of autonomous systems of goals . The evolution
of the internet has been widely chronicled. Resulting from a research
project that established communications among a handful of
geographically distributed systems, the Internet now covers the globe as a
vast collection of networks made up of millions of systems. Government
corporations, banks, and schools conduct their day-to-day business over
the Internet. With such widespread use, the data that resides on and flows
across the network varies from banking and securities transactions to
medical records, proprietary data, and personal correspondence. The
Internet is the worlds largest collection of networks that reaches
universities, government labs, commercial enterprises, and military
installations in many countries.
2.1.1 OSI Model and Various Protocols: The flow of information from a
software application in one computer through a network medium to a
software application in another computer is described in the following
section. Also the open system interconnection (ISO) reference model and
various protocols supporting interconnection infrastructure are explained
here in greater detail. 1.1.1 Open System Interconnection Model The OSI
reference model is a conceptual model composed of seven layers, each
specifying a particular set of network functions. The model was developed
by the International Organization for Standardization (ISO) in 1984, and it
is now considered the primary architectural model for inter computer
communications. The OSI model divides the tasks involved with moving
information between networked computers into seven smaller, more
manageable task groups. A task or group of tasks is then assigned to each
of the seven OSI layers. Each layer is reasonably self-contained so that the
tasks assigned to each layer can be implemented independently. This
enables the solutions offered by one layer to be updated without adversely
affecting the other layers.
Packet Sniffing

1. Layer 7 Application
2. Layer 6 Presentation
3. Layer 5 Session
4. Layer 4 Transport
5. Layer 3 Network
6. Layer 2 Data link
7. Layer 1 Physical
The seven layers of the OSI reference model can be divided into two
categories: upper layers and lower layers. The physical layer and the data
link layer are implemented in hardware and software. The lowest layer,
t2he physical layer, is closest to the physical network medium (the
network cabling, for example) and is responsible for actually placing
information on the medium.
2.1.2 Internet Protocol (IP): The Internet Protocol (IP) is a network-layer
(Layer 3) protocol that contains addressing information and some control
information that enables packets to be routed. IP is documented in and is
the primary network-layer protocol in the Internet protocol suite. Along
with the Transport Control Protocol (TCP), IP represents the heart of the
Internet protocols. IP has two primary responsibilities: providing
connectionless, best-effort delivery of datagrams through an
internetwork; and providing fragmentation and reassembly of datagrams
to support data links with different maximum-transmission unit (MTU)
sizes. There is no notion of a virtual circuit or phone call at the IP level:
every packet stands alone. IP is an unreliable datagram service. No
guarantees are made that packets will be delivered, delivered only once, or
delivered in any particular order. Nor is there any check for packet
correctness. The checksum in the IP header covers only the header. A
packet travelling a long distance will travel through many hops. Each hop
terminates in a host or router, which forwards the packet to the next hop
based on routing information. During these travels a packet may be
fragmented into smaller pieces if it is too long for a hop. A router may
drop packets if it is too congested. Packets may arrive out of order, or
even duplicated, at the far end. There is usually no notice of these actions:
higher protocol layers (i.e., TCP) are supposed to deal with these problems
and provide a reliable circuit to the application.
2.1.3 Transport Control Protocol (TCP): The TCP provides reliable
transmission of data in an IP environment. TCP corresponds to the
transport layer (Layer 4) of the OSI reference model. Among the services
Packet Sniffing

TCP provides are stream data transfer, reliability, efficient flow control,
full-duplex operation, and multiplexing. With stream data transfer, TCP
delivers an unstructured stream of bytes identified by sequence numbers.
This service benefits applications because they do not have to chop data
into blocks before handing it off to TCP. Instead, TCP groups bytes into
segments and passes them to IP for delivery.
2.1.4 Address Resolution Protocol (ARP): IP packets are usually sent
over Ethernets. The Ethernet devices do not understand the 32-bit IP
addresses: they transmit Ethernet packets with 48-bit Ethernet addresses.
Therefore, an IP driver must translate an IP destination address into an
Ethernet destination address. The Address Resolution Protocol (ARP) is
used to determine these mappings. ARP works by sending out an Ethernet
broadcast packet containing the desired IP address. The destination host,
or another system acting on its behalf, replies with a packet containing the
IP and Ethernet address pair. This is cached by the sender to reduce
unnecessary ARP traffic.
2.1.5 Internet Control Message Protocol (ICMP): The Internet Control
Message Protocol is the low-level mechanism used to influence the
behaviour of TCP and UDP connections. It can be used to inform hosts of
a better route to a destination, to report trouble with a route, or to
terminate a connection because of network problems. It also supports the
single most important low- level monitoring tool for system and network
administrators: the ping program. Many ICMP messages received on a
given host are specific to a particular connection or are triggered by a
packet sent by that machine. In such cases, the IP header and the first 64
bits of the transport header are included in the ICMP message. The intent
is to limit the scope of any changes dictated by ICMP. Thus, a Redirect
message or a Destination Unreachable message should be connectionspecific. These protocols evolved out of many drafts proposals (Request
for Comment (REC) documents) and existed in the networks for many
years. These protocols apart from being the basis of Internet
communication exhibit certain vulnerabilities which had given rise to
hacking attacks. Network Security in general and these protocol
vulnerabilities in specific, leading to number of attacks is discussed in the
following sections of this chapter. Subsequent chapters give more detailed
attack information based on exploits and vulnerabilities.

Packet Sniffing

2.2 Problem Formulation: Every network security implementation is

based on some model, which could be either specified or assumed. Based
on the literature survey it is apparent that mostly perimeter security model
based on firewalls and IDS, is in use: which is reactive in nature. Reactive
approach, obviously with above mentioned risks lacks the robustness and
provides false sense of security infrastructure. With tremendous
complexity and hacking ease looming around; challenge is to build
security into the network itself. This will lead to self healing and self
defending network infrastructure. To achieve this security has to be
proactive i.e. should be part of the switching fabric that carries all the
traffic: benign and malicious. There is compelling need to combine
reactive and proactive security measures in order to have an integrated
approach to the security across the information value chain. Keeping this
in view, it is proposed to design and develop, A Proactive Network
Surveillance Framework. Proposed Framework aims to provide learning
vision to the network attacks thus exhibiting ability to react intelligently.
Proactive network security framework will be based on a military
Doctrine which would address and eradicate major shortcomings of
existing security system Research Work will be Defence depth sometimes
also called elastic defence concept for implementation purposes. Defence
in depth seeks to delay rather than prevent the advance of an attacker,
buying time by yielding space. The idea of defence in depth is now widely
used to describe non-military strategies like network security. Successive
layers of defence may use different technologies or tactics. The inner
layers of defence can support the outer layer and an attacker must breach
each line of defence in turn. This gives an engineering solution which
emphasizes redundancy - a system that keeps working even when a single
component fails e.g. an aircraft with four engines will be less likely to
suffer total engine failure than a single-engine aircraft: no matter how
much effort goes into making the single engine reliable. Different security
vectors within the network, helps to prevent a shortfall in any one defence
leading to total system failure. Subsequent chapters will elaborate upon
framework design, implementation, deployment and testing.

2.3 Need of Packet Sniffing: Most of the Internet runs in plain text,
which means that most of the information you look at is viewable by someone
with a packet sniffer. This information ranges from the benign to the sensitive.
Packet Sniffing

You should take note that all of this data is vulnerable only through an
unencrypted connection, so if the site you are using has some form of
encryption like SSL, your data is less vulnerable.
The most devastating data, and the stuff most people are concerned with, is
user credentials. Your user name and password for any given site are passed in
the clear for anyone to gather. This can be especially crippling if you use the
same password for all your accounts on-line. It doesn't matter how secure your
bank Web site is if you use the same password for that account and for your
Twitter account. Further, if you type your credit-card information into an
unsecure Web page, it is just as vulnerable, although there aren't many (if any)
sites that continue this practice for that exact reason.

CHAPTER-3
OPERATING PRINCIPLES
Packet Sniffing

3.1 Working of Packet Sniffing: Now, you know that these tools are out
there, but how exactly do they work? First, packet sniffing is a passive
technique. No one actually is attacking your computer and delving through all
those files that you don't want anyone to access. It's a lot like eavesdropping.
My computer is just listening in on the conversation that your computer is
having with the gateway. Typically, when people think of network traffic, they
think that it goes directly from their computers to the router or switch and up
to the gateway and then out to the Internet, where it routes similarly until it
gets to the specified destination. This is mostly true except for one
fundamental detail. Your computer isn't directly sending the data anywhere. It
broadcasts the data in packets that have the destination in the header. Every
node on your network (or switch) receives the packet, determines whether it is
the intended recipient and then either accepts the packet or ignores it.
For example, let's say you're loading the Web page http://example.com on your
computer "PC". Your computer sends the request by basically shouting "Hey!
Somebody get me http: //example.com!", which most nodes simply will
ignore. Your switch will pass it on to where it eventually will be received by
example.com, which will pass back its index page to the router, which then
shouts "Hey! I have http://example.com for PC! which again will be ignored
by everyone except you. If others were on your switch with a packet sniffer,
they'd receive all that traffic and be able to look at it. Picture it like having a
conversation in a bar. You can have a conversation with someone about
anything, but other people are around who potentially can eavesdrop on that
conversation, and although you thought the conversation was private,
eavesdroppers can make use of that information in any way they see fit. Most
of the packet sniffers work as a pcap application. The normal flow in a pcap
application is to initialize network interface, then further set the filter, to filter
the packets to be accepted and rejected. Packets are accepted and log is
maintained continuously until the interface is closed, and further processes the
packets captured.

3.1.1 Shared Ethernet: In a shared Ethernet environment, all hosts are

connected to the same bus and compete with one another for bandwidth. In
such an environment packets meant for one machine are received by all the
other machines. Thus, any machine in such an environment placed in
Packet Sniffing

promiscuous mode will be able to capture packets meant for other machines
and can therefore listen to all the traffic on the network.

3.1.2 Switched Ethernet: An Ethernet environment in which the hosts are

connected to a switch instead of a hub is called a Switched Ethernet. The
switch maintains a table keeping track of each computer's MAC address and
delivers packets destined for a particular machine to the port on which that
machine is connected. The switch is an intelligent device that sends packets to
the destined computer only and does not broadcast to all the machines on the
network, as in the previous case. This switched Ethernet environment was
intended for better network performance, but as an added benefit, a machine in
promiscuous mode will not work here. As a result of this, most network
administrators assume that sniffers don't work in a Switched Environment.

Fig 3.1: A Capture of a Packet of Someone Trying to Log In to a Web Site

CHAPTER-4
A PACKET SNIFFER STRUCTURE
Packet Sniffing

4.1 Components of a Packet Sniffer:

1. Hardware: standard network adapters.
2. Capture Filter: This is the most important part. It captures the network
traffic from the wire, filters it for the particular traffic you want, and then
stores the data in a buffer.
3. Buffers: used to store the frames captured by the Capture Filter.
4. Real-time analyzer: a module in the packet sniffer program used for traffic
analysis and to shift the traffic for intrusion detection.
5. Decoder: "Protocol Analysis.
6. Packet editing/Transmission: some products contain features that allow you
to edit your own network packets and transmit them onto the network.

4.2 Packet sniffer Tools: There are some kinds of tools used for Packet
Sniffing, such as:
Wireshark, Kismet, Tcpdump, Cain and Abel, Ettercap, Dsniff,
NetStumbler, Ntop, Ngrep, EtherApe, KisMAC, Hunt.

CHAPTER-5
TYPES OF SNIFFING
Packet Sniffing

10

5.1 Sniffing methods: There are three types of sniffing methods. Some
methods work in non-switched networks while others work in switched
networks. The sniffing methods are: IP-based sniffing, MAC-based sniffing,
and ARP-based sniffing.
Passive sniffing: Sniffing through a Hub. It is called passive because it
is difficult to detect. Passive sniffing means sniffing through a hub.
Attacker simply connects the laptop to the hub and starts sniffing.
Active sniffing: Sniffing through a Switch. It is difficult to sniff. It can
be easily detected.

Techniques for active sniffing:

5.1.1 ARP (Address Resolution protocol) spoofing: When a
legitimate user initiates a session with another user in the same Layer 2
broadcast domain, an address resolution protocol (ARP) request is
broadcasted using the recipient's IP address and the sender waits for the
recipient to respond with a MAC address A malicious user
eavesdropping on this unprotected Layer 2 broadcast domain can
respond to the broadcast ARP request and reply to the sender by
spoofing the intended recipient's MAC address.
5.1.2 MAC flooding: MAC flooding involves flooding the switch
with numerous requests. Switches have a limited memory for mapping
various MAC addresses to the physical ports on the switch. MAC
flooding makes use of this limitation to bombard the switch with fake
MAC addresses until the switch cannot keep up. The switch then acts as
a hub by broadcasting packets to all the machines on the
network. After this, sniffing can be easily performed.
5.1.3 IP-based sniffing: This is the original way of packet sniffing. It
works by putting the network card into promiscuous mode and sniffing
all packets matching the IP address filter. Normally, the IP address filter
isnt set so it can capture all the packets. This method only works in
non-switched networks.

5.1.4 MAC-based sniffing: This method works by putting the

network card into promiscuous mode and sniffing all packets matching
the MAC address filter.
5.1.3 ARP-based sniffing: This method works a little different. It
Packet Sniffing

11

doesnt put the network card into promiscuous mode. This isnt
necessary because ARP packets will be sent to us. This happens because
the ARP protocol is stateless. Because of this, sniffing can be done on a
switched network. To perform this kind of sniffing, you first have to
poison the ARP cache1 of the two hosts that you want to sniff,
identifying yourself as the other host in the connection. Once the ARP
caches are poisoned, the two hosts start their connection, but instead of
sending the traffic directly to the other host it gets sent to us. We then
log the traffic and forward it to the real intended host on the other side
of the connection. This is called a man-in-the-middle attack. See
Diagram 1 for a general idea of the way it works.

Fig 5.1: ARP sniffing method

CHAPTER-6
ADVANTAGES & DISADVANTAGES
OF PACKET SNIFFING

Packet Sniffing

12

6.1 Advantages: Sniffing programs are found in two forms.

1) Commercial packet sniffers are used to help maintain networks.
2) Underground packet sniffers are used by attackers to gain unauthorized
access to remote hosts. A sniffing program used for Searching for clear-text
usernames and passwords from the network. Conversion of network traffic
into human readable form. Network analysis to find bottlenecks. Network
intrusion detection to monitor for attackers. Using a sniffer in an illegitimate
way is considered a passive attack. It does not directly interface or connect to
any other systems on the network. However, the computer that the sniffer is
installed on could have been compromised using an active attack. The passive
nature of sniffers is what makes detecting them so difficult. The following list
describes a few reasons why intruders are using sniffers on the network.
Network Monitoring Analysing the bandwidth used. Determining the hackers
if any are trying to access. Know the IP address of different systems connected
to your system. Analyze the traffic flowing through the network. A packet
sniffer located at one of the servers of your ISP would potentially be able to
monitor all of your online activities, such as:
Which website you visit
What you look at on the site
Whom you send e-mail to
What you download from a site
What streaming events you use, such as audio, video and internet telephony.
From this information, employers can determine how much time a worker is
spending online and if that worker is viewing inappropriate materials.

6.2 Disadvantages: A packet sniffer is not just a hacker's tool. It can be

used for network troubleshooting and other useful purposes. However, in the
wrong hands, a packet sniffer can capture sensitive personal information that
can lead to invasion of privacy, identity theft, and other serious eventualities.
Only a single and most destructive disadvantage of packet sniffing is:
Configuring your network device to read all network packets that arrive which
Packet Sniffing

13

might contain Trojan horses, you might also open doors to allow intruders
access to your confidential data and network files.

Packet Sniffing

14