Sniffer is a technology that uses computer network interfaces to intercept data packets destined for other computers. This technology is widely used in network maintenance and management. It works like a passive sonar, silently receiving various information from the network. Through the analysis of this data, the network administrator can gain an in-depth understanding of the current running status of the network to identify potential problems in the network.
Introduction to Sniffer Technology
Data is transmitted in a small unit called frame (packet) on the network. frames are composed of multiple parts, different Parts correspond to different information to implement corresponding functions. For example, the first 12 bytes of Ethernet store the source address and destination address, and the data tells the network the source and destination of the frame. The remaining parts store actual user data, TCP/IP headers, or IPX headers. Frames are generated by the network driver according to certain rules according to the protocol used for communication, and then sent to the network through the network interface card (network interface card, generally referred to as the network interface card in the LAN, transmit data to the target host through a network cable, and execute the opposite process at one end of the target host according to the same communication protocol. The network interface card of the receiver machine captures these frames, notifies the operating system of the arrival of new frames, and then stores them. Under normal circumstances, the network interface card reads a frame and checks it. If the destination address carried in the frame (the destination address here refers to the physical address rather than the IP address, this address is the unique identifier of the network device. It is consistent with the physical address or broadcast address (that is, the special address set to be sent to all hosts on the network at a time. When the target address is this address, all network interface cards receive the frame). The network interface card generates a hardware interruption to attract the attention of the operating system, and then transmits the data contained in the frame to the system for further processing, otherwise, the frame will be discarded.
We can imagine a special situation: if the physical address of a network interface card in the network is uncertain (this can be achieved by setting the local network interface card to a "mixed" state )? How does the network interface card handle received frames? The actual situation is that the network interface card will receive all frames transmitted in the network, whether the frame is broadcast or sent to a specified address, this forms a listener. If a host is set to this listening mode, it becomes an Sniffer.
Given the working principle of Sniffer, we know that if a data frame is not sent to your network interface card, you will not be able to monitor the frame. Therefore, Sniffer can only listen to the information transmitted in the same physical network. In the network where the switching (Routing) device is used, because the data is distributed according to the destination address, A single network interface card cannot listen to all the information being transmitted.
The Network listening of different transmission media is different. Generally, Ethernet is more likely to be listened on, because Ethernet is a broadcast-type network and FDDI Token is more likely to be listened on, although it is not a broadcast-type network, however, packets with tokens are evenly transmitted over half of the computers on the network. The possibility of telephone line monitoring is moderate, but in practice, A high-speed modem is much more difficult to connect than a low-speed modem because it introduces more frequencies. Microwave and wireless networks are also more likely to be listened, because the radio itself is a broadcast-type transmission medium, radio signals scattered in the air can be easily intercepted. Therefore, Sniffer can be applied to most network types.
Sniffer is a common tool used by network engineers and a good helper for network administrators. However, because data transmission over the network is usually carried out in plaintext mode (do not doubt, even sensitive information such as user names and passwords is plain text, especially over Ethernet). Therefore, Sniffer is often used for "special" purposes.
Sniffer application
The Sniffer tool has many different functions and designs. Some can only analyze one protocol, while others may be able to analyze several hundred protocols. Generally, most sniffing devices can analyze at least the following protocols: standard Ethernet, TCP/IP, IPX, and DECNet, often, commercial software performs better than some free software.
In actual application, Sniffer can be soft or hard. The advantage of software Sniffer is that it is relatively cheap, easy to learn and use, and easy to communicate. The disadvantage is that it is often unable to capture all the transmissions (such as fragments) on the network ), in some cases, you may not be able to really understand network faults and operating conditions. The hardware Sniffer is usually called a protocol analyzer and is generally expensive. Its advantage is precisely due to the lack of software Sniffer, but expensive is its fatal weakness. Therefore, all popular Sniffer tools are software. There are many free Sniffer tools available for download and use on the Internet (some even provide source code), but these free software often features a single function, and stability and technical support cannot be compared with commercial software; currently, among commercial network management software, the Sniffer TNV package produced by NAI is the most well-known.
Industry-leading Sniffer TNV suite
Sniffer TNV consists of Protable Analysis Suite and Distributed Analysis Suite ). The portable kit is a portable network fault and performance analysis solution. It is currently the only tool kit that can provide comprehensive performance management for all layer-7 OSI network models, it enables full-time network staff to actively maintain multi-topology and multi-protocol networks and significantly reduce their network operation costs. At the same time, it also has excellent monitoring and resolution capabilities, Intelligent Expert Technology scans information captured from the network to detect network anomalies, the user-defined test program is applied to automatically classify each abnormal phenomenon, and a warning is given to explain the nature of the problem and a suggested solution is provided; with such in-depth monitoring, Sniffer Pro can accurately identify the source of the problem and make judgment and solve it quickly; at the same time, Sniffer's network analyzer can monitor all types of network hardware and topology, including switching networks and high-speed backbone networks running ATM OC-12 and Gigabit Ethernet; it supports more than 400 protocol interpretations and powerful expert analysis functions. It can analyze network transmission and identify the causes of faults and slow response, this ensures the highest performance of the LAN and WAN topologies.
With experience accumulated by Sniffer Pro and network experts, industry partners, and smart capture technology, Sniffer helps users quickly analyze, identify, and solve network performance problems. Expert Analysis (Expert Analysis system) is inherently flexible and can generate custom Expert data, the data can be easily output in HTML format to provide the observed analysis structure and report required by the user. The expert analysis system supports the widest range of application software and network communication technologies in the industry. The portable kit mainly includes Sniffer Basic, Sniffer Pro LAN, Sniffer Pro WAN, Sniffer Pro High Speed and other components.
The distributed suite combines the central control platform with the network analyzer distributed across the network. The network administrator can monitor the entire network around the clock. This is the only one that complies with RMON 1/RMON 2 (Remote Monitoring Technology) the expert system-based network and application management system can adapt to various topology structures, speeds, and networks of different media types, which will help to troubleshoot and generate reports. The software package also integrates SiteMinder Security Manager, an NT-based server that supports multiple authentication and authorization options, allowing you to check user access, select the corresponding access level for the network device of the team to protect the sensitive information displayed through the Distributed Sniffer System.