Meaning and working principle of SNIFFER

Author: Xia zhongyu
1. Meanings of sniffer and sniffer
Sniffers (sniffer) has nearly the same history as internet. sniffer is a common method for collecting useful data. The data can be user accounts and passwords, or commercial confidential data. With the increasing popularity of Internet and e-commerce, the security of the Internet has been paid more and more attention. Sniffer, which plays an important role in Internet security risks, is getting more and more attention. So today I want to introduce Sniffer and how to block it.
Most hackers only detect and take control of hosts on the Intranet. Only those "ambitious" hackers Install Trojan Horse and Backdoor programs and clear records to control the entire network. They often use the method of installing sniffer.
On the Intranet, the most effective way for hackers to quickly obtain a large number of accounts (including user names and passwords) is to use the "sniffer" program. This method requires that the host running the Sniffer program and the monitored host must be in the same Ethernet segment. Therefore, running sniffer on the external host is ineffective. Moreover, you must use the sniffer program as the root user to listen to data streams in the Ethernet segment. When talking about Ethernet sniffer, we must talk about Ethernet sniffing.
So what is Ethernet sniffer?
Ethernet sniffing refers to listening for packets transmitted on an Ethernet device to discover packets of interest. If a qualified package is found, store it in a log file. These conditions are usually set to include "username" or "password" packets.
It aims to put the network layer in the promiscuous mode to do something. The Promiscuous mode means that all devices on the network listen to the data transmitted on the bus, not just their own data. According to the basic introduction to the working principle of Ethernet in Chapter 2, you can know that when a device sends data to a target, it broadcasts data over Ethernet. A device connected to the Ethernet BUS receives data at any time. However, it only transmits its own data to applications on the computer.
With this, you can set the network connection of a computer to accept data on all Ethernet buses to implement sniffer.
Sniffer usually runs on a vro or a host with the vro function. In this way, you can monitor a large amount of data. Sniffer is a second-level attack. Generally, attackers have already entered the target system and then use sniffer to obtain more information.
In addition to passwords or user names, sniffer can also obtain more information, such as other important information and financial information sent online. Sniffer can get almost any packets transmitted over Ethernet. Hackers will use various methods to gain control of the system and leave a backdoor for further intrusion to ensure that sniffer can be executed. On the Solaris 2. x platform, the sniffer program is usually installed in the/usr/bin or/dev directory. Hackers also cleverly modify the time to make the sniffer program seem to be installed with other system programs at the same time.
Most Ethernet sniffer programs run in the background and output the results to a record file. Hackers often modify ps programs, making it difficult for system administrators to find sniffer programs.
The Ethernet sniffer Program sets the network interface of the system to the hybrid mode. In this way, it can listen to all data packets flowing through the same Ethernet network segment, regardless of whether the receiver or sender is a host running sniffer. The program stores user names, passwords, and data that hackers are interested in into log files. The hacker will wait for a period of time-for example, a week later, and then return to download the record file.
So many things have been mentioned, so what should we use to introduce sniffer?
Different from telephone circuits, computer networks share communication channels. Sharing means that the computer can receive information sent to other computers. The data captured in the network is called sniffing ).
Ethernet is now the most widely used computer connection method. The Ethernet protocol sends packet information to all hosts in the same loop. The data packet header contains the correct address of the target host. Generally, only the host with this address will accept this packet. If a host can receive all data packets and ignore the packet header content, this mode is usually called the "hybrid" mode.
In a common network environment, account and password information are transmitted in plaintext over Ethernet. Once an intruder obtains the root permission of one of the hosts, and put it in a hybrid mode to eavesdrop network data, which may intrude into all computers in the network.
In a word, sniffer is a hacker and tool used for eavesdropping.
Ii. Working Principles of sniffer
Generally, all network interfaces in the same network segment have the ability to access all data transmitted on physical media, and each network interface should have a hardware address, this hardware address is different from the hardware address of other network interfaces in the network. At the same time, each network must have at least one broadcast address. (Representing all interface addresses). Under normal circumstances, a valid network interface should only respond to the following two data frames:
1. The target area of the frame has a hardware address that matches the local network interface.
2. The target area of the frame has a "broadcast address ".
When the above two data packets are received, nc generates a hardware interruption through the cpu. This interruption can attract the attention of the operating system, and then transmit the data contained in the frame to the system for further processing.
Sniffer is a software that can set the local nc status to promiscuous. When the nc is in this "hybrid" mode, the nc has "broadcast address ", it generates a hardware interruption for each frame that is encountered to remind the operating system to process each packet that flows through the physical media. (The vast majority of nc servers can be set to the promiscuous mode)
It can be seen that sniffer works at the bottom layer of the network environment. It intercepts all the data being transmitted over the network and can analyze the data in real time through corresponding software processing, then, the network status and overall layout are analyzed. It is worth noting that sniffer is extremely quiet and is a negative security attack.
Generally, the content that sniffer cares about can be divided into the following categories:
1. Password
I think this is the reason for the vast majority of illegal use of sniffer. sniffer can record the userid and passwd transmitted in plaintext. even if you use encrypted data during network transmission, the data recorded by sniffer may cause intruders to eat meat strings at home and find a way to calculate your algorithm.
2. Financial Account
Many users can safely use their credit card or cash account online. However, sniffer can easily intercept user names, passwords, credit card numbers, end dates, accounts, and pin sent online.
3. Peek at confidential or sensitive information data
By intercepting data packets, intruders can easily record sensitive information transmitted between others, or simply intercept the entire email session process.
4. snoop on low-level protocol information.
This is a terrible thing. I think, through the underlying information protocol record, for example, record the network interface address, remote network interface ip address, ip route information, and the byte sequential number of tcp connections between two hosts. This information is taken into account by an illegal hacker and will pose great harm to network security. Generally, someone uses sniffer to collect this information for only one reason: he is conducting a fraud, (generally, IP address fraud requires you to insert the byte sequence number of the tcp connection accurately, which will be pointed out in future articles.) If someone is very concerned about this issue

So sniffer is just a prelude to him, and there will be much more problems in the future. (For advanced hacker, I think this is the only reason to use sniffer)
Ii. Working Environment of sniffer
Snifffer is a device that can capture network packets. The proper use of the sniffer is to analyze the network traffic to identify potential problems in the network. For example, if a certain part of the network is not running well and the message sending speed is slow, but we don't know where the problem is, we can use a sniffer to make a precise problem judgment.
The functions and design of the sniffer are quite different. Some can only analyze one protocol, while others may be able to analyze several hundred protocols. In general, most sniffing devices can analyze at least the following protocols:
1. standard Ethernet
2. TCP/IP
3. IPX
4. DECNet
Sniffer is usually a combination of hardware and software. Dedicated sniffer is very expensive. On the other hand, although the free sniffer does not need to spend any money, it does not have any support.
The sniffer is different from the general keyboard capture program. The keyboard capture program captures the Input key values on the terminal, while the sniffer captures the real network packets. The sniffer puts it on a network interface to achieve this goal-for example, setting the ethernet card to the miscellaneous mode. (To understand how the miscellaneous mode works, first explain how the LAN works ).
Data is transmitted in a small frame (Ftame) unit on the network. frames are composed of several parts, and different parts perform different functions. (For example, the first 12 bytes of Ethernet store the Source and Destination addresses. These bits tell the network the source and destination of the data. Other parts of the Ethernet frame are used to store actual user data, TCP/IP headers, and IPX headers ).
The frame is formed by a specific software called a network driver and then sent to the network cable through the network adapter. The opposite process is executed at one end of the target machine through a network cable. The ethernet card of the acceptor captures these frames, notifies the operating system of the arrival of the frames, and then stores them. In the process of transmission and receipt, the sniffer will cause security problems.
Each workstation on a LAN has its hardware address. These addresses uniquely represent machines on the Network (similar to Internet address systems ). When a user sends a packet, the packet is sent to all available machines on the LAN.
In general, all machines on the network can "listen" to the traffic passed, but do not respond to messages that do not belong to them (in other words, workstation A does not capture data belonging to workstation B, but simply ignores the data ).
If a network interface on a workstation is in the multiplexing mode, it can capture all the packets and frames on the network. If a workstation is configured in this mode, it (including its software) is a sniffer.
Possible hazards of the sniffer:
1. the sniffer can capture passwords.
2. Ability to capture private or confidential information
3. It can be used to endanger the security of network neighbors or to obtain higher-level access permissions.
In fact, if you have an unauthorized sniffer on the network, you think your system has been exposed to others. (You can try the sniffing function of tianxing2)
Generally, we only sniff the first 200 to 300 bytes of each packet. The user name and password are included in this part, which is the real part of our concern. Workers can also sniff all packets on a given interface. If there is enough space for storage and processing, they will find something very interesting ......
Simply placing a sniffer object in any place does not play any role. Place the sniffer in the vicinity of the attacked machine or network to capture a lot of passwords. Another better way is to put the sniffer on the gateway. In this way, the process of identity authentication between the network and other networks can be captured. This method will multiply the attack scope.