In this lesson, we will discuss what sniffers are and how they are used in a networking environment. Additionally, we will briefly discuss some of the popular sniffing tools that are available today.
”It smells amazing”, you say to yourself as you take in the scent of a family barbecuing nearby. Although the smell of cooking hamburgers is prominent, you also notice the crisp scent of the cool evening air intermingled with the smell of freshly cut grass. Just like our nose helps us make sense of the world around us through the scents it picks up, networking tools called sniffers help us pick up clues about a networking environment. With these clues, we are able to determine the overall status of a network and they even let us know if there is any malicious activity taking place.
“Sniffing” refers to the monitoring of internet traffic in real time. Sniffers are programs or hardware devices that can spy on you and all of your internet activity. Sometimes legitimate, sometimes criminal, sniffers can leave you feeling exposed. Read on to understand what sniffers do, how they work, and how to protect yourself against sniffing attacks from hackers.
But if you’re asking what a sniffer attack is, you’re probably less concerned with legitimate applications of sniffing technology, and more with how someone might be using that tech against you. These devious little programs go by a variety of names — network probes, wireless sniffers, Ethernet sniffers, packet sniffers, packet analyzers — but no matter what you call them, they all get up to the same mischief: eavesdropping on you.
Types of Sniffing
Active sniffing, in short, involves flooding a target network with address resolution packets, or simply ARP. Since modern networks implement network switches and switches connect one device to another, a sniffer is able to view the traffic that passes through the switch. Additionally, active sniffing can also allow a hacker to alter the packets of data that are captured. Due to its aggressive nature, active sniffing is detectable by network administrators through the use of common networking technologies such as intrusion detection systems. As a result, active sniffing is not a commonly used method by hackers.
Passive sniffing, however, can only be done on networks that implement hubs instead of switches. Since network hubs work by transferring network data to all connected devices, a sniffer is able to easily see all network traffic. Unlike active sniffing, passive sniffing is less direct and allows a hacker to remain relatively hidden on the network. As networking technology has progressed, the use of hubs in modern networks has greatly decreased.
What is a packet sniffer?
Packet sniffers, also known as packet analyzers or just sniffers, are monitoring software or sometimes hardware.This article contains:This article contains:
- What is a packet sniffer?
- How does a sniffer work?
- How to protect your system from a sniffer
- How to find a sniffer on your network
- How to remove a sniffer
- Examples of packet sniffers
Sniffers keep an eye on your internet traffic — including websites you visit and anything you download or upload — in real time, making them potentially quite invasive. But there are different types of sniffers.
“Sniffer” with a capital S refers to the trademarked tool by NetScout, which allows network administrators to monitor bandwidth and make sure no one user is taking up too much of the available capacity. With a lowercase s, “sniffer” refers to all other types of packet sniffers, both benign and malignant. Most legitimate sniffers are used to maintain the smooth flow of traffic through a network.
But if you’re here wondering “what is a sniffer virus,” you’re probably more focused on the malicious variety of sniffing: spying. Hackers can “sniff” your traffic, allowing them to record and analyze everything you’re doing. That includes usernames, passwords, credit card details, and other private information. Obviously, you don’t want that kind of sniffing around, and later on we’ll get to some tips to help you prevent it. First, we’ll cover exactly how sniffing works, including the different applications of sniffers.
And before we go on — sniffers and viruses aren’t the same thing. Viruses are a type of malware that hijacks other software on your device and modifies it so as to replicate and spread the virus. Sniffers don’t work that way, and sometimes, they’re not even software. Lots of sniffers exist as discrete hardware tools.
Sniffers go by many names, including the aforementioned packet sniffer and packet analyzer, as well as network probes, wireless sniffers, and Ethernet sniffers. Sniffing can be accomplished through either software or hardware, depending on the setup. Basically, snoops use sniffers to capture, decode, and interpret packets of data being sent over a network using TCP/IP or other protocols.
What is network sniffing software used for?
Sniffers were originally designed to be used only by professional network engineers to monitor traffic and ensure appropriate use. Unfortunately, hackers are a very crafty bunch, and many currently make use of the sniffing software that is available online (sometimes even for free!).
Sniffers are a tool used by:
Network engineers: In order to optimize their network, engineers must keep an eye on their traffic.
System administrators: Similarly, admins need to observe traffic to collect data on metrics like available bandwidth. They can also test how specific systems are working, such as firewalls, as well as troubleshoot problems.
Cybersecurity professionals: Cybersec workers can learn a lot from monitoring their networks. Abnormal spikes or different types of traffic can indicate malware or hackers in the system.
Corporations: Employers can use sniffing software to monitor their employees and find out just how much Netflix they’re watching vs. how much work they’re completing.
Hackers: Generally, hackers exploit sniffer software to spy on people and steal their personal data, usually with the eventual goal of identity theft or other fraud.
In summary, here are just some of the many ways network sniffers are used:
For the purpose of network maintenance, legitimate uses of sniffers are:
- Capturing packets of data
- Recording and analyzing traffic
- Packet decryption
- Network troubleshooting
- Firewall testing
- Ensuring smooth traffic flow
Illegitimate uses of sniffers, essentially spying, include:
- Capturing private info like usernames, passwords, credit card numbers, etc.
- Recording communications such as emails and instant messages
- Identity fraud
- Monetary theft
How does a sniffer work?
First, some background on the internet “traffic” we keep mentioning. Just as cars (which carry people) make up traditional traffic traveling on a road, internet traffic consists of packets (which carry data) traveling through a network. When you’re sitting at home, you ignore most cars driving by, but if a truck parks in your driveway, you might go check out who’s inside. Similarly, your computer ignores most traffic flowing through a network, and only inspects the specific packets of data that are sent to it.
Sniffers, then, are like a tollbooth — they are sent up to inspect all cars driving down the road, not just those that park in one driveway. Unfiltered sniffers inspect every car — they harvest all traffic traveling through a network. Filtered sniffers can be configured to inspect only certain types of traffic. This would be like a tollbooth that chooses to stop only BMWs, or only blue cars, depending on what type of traffic interests the owner of the tollbooth/sniffer.
But let’s dive into even more technical details of how a network sniffer works. Sniffing can be accomplished using either software or hardware.
Network managers or system administrators may use hardware, such as routers with sniffing capabilities built right in. Sniffer hardware consists of a special adapter that hooks into the existing network. The adapter collects the data and either stores it or sends it along to a collector for further inspection.
Hackers tend to use sniffing software instead. Normally, computers ignore all traffic that’s headed elsewhere in a network, but these applications essentially alter a computer’s settings and permissions so that it collects and copies all available data packets on the network. This allows the hacker to store all the network data and analyze it at a later time. This setting is referred to as promiscuous mode, and it’s just about as sneaky and unrestricted as it sounds.
The average computer user may encounter sniffers by visiting unsafe websites that automatically download the nefarious app, getting caught in a phishing scam that includes infected attachments or links, or using unsecured Wi-FI networks in public places. Phishing scams are a favored technique of many of the best hackers in the world.
Passive vs. active sniffing
Depending on what type of network you’re on, hackers would be required to use different methods of sniffing.
If your network is structured using hubs — which connect several devices together on one network — then all the traffic flows freely. That means your computer actually receives all the traffic in the network, but it ignores everything that isn’t addressed to it. A sniffer can passively peek in, and instead of ignoring irrelevant traffic, it absorbs it all. This type of passive sniffing is quite difficult to detect.
If you’re on a much bigger network, with many more connected computers, it’s not possible for all traffic to reach all devices. In this case, network switches are used to point traffic only to the specific device it’s addressed to. For a hacker to successfully sniff in this type of environment, they’d have to bypass the constraints enforced by the switches, which constitutes active sniffing. This is generally done by adding additional traffic to the network, and this makes it more easily detectable than passive sniffing.
How to protect your system from a sniffer
As the saying goes, an ounce of prevention is worth a pound of cure, and this definitely applies when it comes to network sniffers. Here are the best ways to arm your defences:
- Use strong antivirus software: A robust antivirus will prevent malware from invading your system. It will also detect anything that shouldn’t be on your computer — like a sniffer — and help you delete it.
- Avoid public Wi-Fi: Open Wi-Fi networks, like those found in coffee shops or airports, are not to be trusted. It’s just too easy for hackers to sniff the entire network. You should avoid using them entirely, unless you make sure to….
- Use a VPN: A Virtual Private Network encrypts your connection and hides all the data sent from your computer over the internet. That means that a sniffer spying on your traffic would just see scrambled info, and your data stays safe.
- Avoid insecure protocols: Another way to ensure your data stays protected while you’re out there surfing the wide web is to check for HTTPS. When you look at the address bar of a website (for example, this one), you’ll either see HTTP or HTTPS. Some browsers will show a lock symbol to indicate HTTPS (and if you click on your address bar to expand the URL, you should see the HTTPS there as well). Only HTTPS is secure, meaning that your communications are encrypted. HTTP is insecure, and your browser may show a little i instead of the lock symbol. You should avoid HTTP when possible, and especially do so when shopping online.
- Watch out for social engineering: As noted earlier, cybercriminals use methods like phishing emails and infected websites to trick victims into unwittingly downloading sniffers. Practice smart browsing tactics and common sense to avoid anything fishy.
How to find a sniffer on your network
As mentioned above, passive sniffing is very difficult to detect. Active sniffing is a bit more visible, but you’re still going to need some amount of tech savviness. If you suspect there could be a sniffer in your midst, you could run your own sniffer and monitor all the DNS traffic in your network to detect any suspicious activity.
An easier option is to rely on the prevention methods mentioned above, especially using antivirus software and a virtual private network (VPN) to encrypt your connection.
How to remove a sniffer
If you do find yourself infected with a pesky sniffer spy, you need to remove the malicious software. You can do this manually by checking all of the apps on your computer. Look at your Downloads folder and sort through by date. If you find some recent programs you don’t remember installing yourself, remove them right away. However, you may come across a sniffer that doesn’t allow de-installation.
Examples of packet sniffers
There are a number of free or cheap sniffing tools available online. Most of them are marketed for the purpose of helping you learn about capturing and analyzing network traffic in order to troubleshoot issues. Solutions like Wireshark and CloudShark are presented for only legitimate uses. Others, such as the cheekily named BUTTsniffer, are more transparent about their possibly villainous applications.