SNIFFING ON A NETWORK THAT YOU DO NOT CONTROL IS ILLEGAL. IT IS ENTIRELY YOUR OWN RESPONSIBILITY IF YOU ACT AGAINST THE LAW.
We take no responsibility for these actions.
Once the Network Associates made an intro about a tool used to monitor
the traffic on a network, the reason being to analyze any data in the
web, the intention being to understand the bad aspects of the internet.
After this some developers made various tools and attacks to aid in this area:
Sniffing .
To understand a sniffer we should study a standard Ethernet 802.3,
which is able to monitor any transmission data.
The mechanism is based on a cable, or Bus, where the data is
transported. Any terminal connects to this Bus.
When a machine A sends data to a machine, B, this data is sent via
the Bus. Any machine connected to the Bus can "see" the data, but only the
interested machine (-B-) gets it.
A normal network card receives only the packets in which it is directly interested,
ignoring the rest, but any network card has another mode function integrated, called promiscuity.
Using this mode function, the network card can
receive any data which is transported through the network even things
addressed to other machines, easily seeing any info which is running through
the network. The sniffer is able to use this mode function by
registering all the traffic which is transported from a machine to another in the
same network.
Any operation (a control data error, for example) in
a network is not a single operation but it is integrated with other
operations, and so a standard has been created to split these operations on
various levels (7), named ISO/OSI.
For example, a developer which would create a Mail client must work on STMP
and POP3 protocols (7 level), avoiding thinking about the rest
started by this network operation.
Although when a packet sent from the
lowest level to the highest, any level will add a header, with info of the
same level where this packet has been allocated and re-sent.
So a sniffer will gain info about headers of any previous level rather than only
the final one, that it is interested in.
The Tcp/ip protocol contains a header with the following info and
parameters:
Tcp Header :
-----Source port: Sender address
-----Destination port: Receiver address
-----Sequence number: sequence number of the first 8 bit
-----Acknowledgement Number: it is the sequence number of the next
8bit, which is waited
----Data Offset: number of the 32 bit words included in the header
-----Reserved: Area reserved for future uses
-----Flags: flags like Syn and Ack , able to create a connection
-----Windows: this area permitted to control how much flags are able to
be sent
-----Checksum : info about the error control
-----Urgent Pointer : It permits to give priority to another 8 bit
-----Options Options like size of any packet etc.
Ip Header
-----Version : it shows the protocol version
-----IHL : this shows the length of the header
-----Type of Service : Shows various parameters like priority , delay ,
etc
-----Total Length : Total length of the datagram
-----Identification : identified number of the datagram
-----Flags : Specified flags which serve to fragment packets
-----Fragment Offset : Shows where is the fragment in the original
datagram
-----Time to Live : Shows the total life of the packet
-----Protocol : Shows the protocol of level superior which must receive
this packet
-----Header Checksum : Error code
-----Source address : -
-----Receiver address : -
-----Options + Padding : Padding is used to verify that the datagram
header has a length equal to 32bit and Options contains info by user's
request .
--The mechanism used to engage a connection is named a "three-way
handshake". Assuming that machine A would connect with machine B:
A sends to B a packet -flag SYN- like request in order to create a
connection.
If B is ready, it will accept the connection by transmitting to A flag SYN
and ACK. By this point, A will confirm that it received data sending
an ACK and the connection is established.
When A wants to terminate the connection it sends a flag FIN to B, B will
transmit the last data on the buffer, sending a flag FIN to confirm
and the connection will be terminated .
ETHEREAL
Ethereal is an open source , it supports many OSs and it has a user
guide.
---In A screen we see all packets in outgoing and incoming on our pc,
which go and come through the network card.
---Any packet has details which we see in B and C.
---In B we see details so clear (header TCP, Header IP, etc )
---In C we see details in hexadecimals and in ASCII code (Who remembers
cbm64 machine knows what they are getting only a look on it ;-) )
Watching the details in the A screen we can highlight any connection detail
between 2 pcs, getting how they are working from their three-way
handshake (SYN-ACK-FIN).
Clicking on a packet we will get 5 options:
--Frame: all info about the all frame.
--Ethernet: it contains info about mac address, receiver mac address
and version.
--Internet Protocol (IP) : it contains info related to IP header
(example : a9 fe ae c1 = 169.254.174.193) .
--Transmission Control Protocol (TCP) : info related to IP .
--[This is : syntaxes and parameters sent from protocol that is
used](example , it could be a telnet session).
On a network we can find other packets than TCP, example UDP or ICMP,
so
it is useful to know many protocols in order to understand how a sniffer
works.
------------As network tool a sniffing can be used to do criminal
actions but it is used to solve and target problems on a network, analyzing
packets on a network its possible to see if an attack is incoming and
get the defensive actions. Systems are based around this to reveal
intrusions like Snort , open source ,
GPL license , freeware .
Bullet
PeerGuardian.net News Team
Disclaimer: Since sniffing is usually illegal if used on any network you do not own, without permission we do not promote this. However, if used on a network that you personally own or have legal control over, you can identify faults and even trojans/attacks on the network.
The information publised in this article is the sole responsibility of the viewer and has nothing to do with PeerGuardian.net or its associates.
Please be sensible.