Principles of network sniffing tools sniffer & wireshark
Today, I suddenly think of this question: the reason why wireshark can catch packets from other hosts is shared Ethernet. How can I use wireshark for switched Ethernet?
I read some documents online and sorted out the following article.
Sniffer is a common method for collecting useful data. The data can be user accounts and passwords, or commercial confidential data. Snifffer can be used as a device to capture network packets. ISS defines Sniffer as a tool to intercept data packets destined for other computers using computer network interfaces.
The legitimate use of Sniffer is mainly to analyze network traffic to identify potential problems in the network. For example, if a certain part of the network is not running well and the message sending speed is slow, but we don't know where the problem is, we can use a sniffer to make a precise problem judgment. In a reasonable network, the existence of Sniffer is important to the system administrator. the system administrator can use Sniffer to diagnose a large number of invisible fuzzy problems, these problems involve abnormal communication between two or more computers, and some even involve various protocols, with the help of Sniffer % 2C, the system administrator can easily determine the network protocol for which the communication volume belongs, the host that occupies the main communication protocol, the host that occupies the most communication destination, and the number of packets used for sending. time, or the packet transmission interval between hosts, etc, this information provides valuable information for administrators to identify network problems and manage network areas.
The sniffer is different from the general keyboard capture program. The keyboard capture program captures the Input key values on the terminal, while the sniffer captures the real network packets.
To gain an in-depth understanding of the working principles of Sniffer, let's first briefly introduce the principles of HUB and nic.
1. Working Principle of the HUB and switch
Because many networks such as Ethernet (the Intranet connected by common hubs) are bus-based and physically broadcast, that is, when one machine sends data to another machine, the HUB receives the data and sends the data it receives to each of the other ports, therefore, the NICS of all machines in the same network segment under the HUB can receive data.
The internal monolithic program of a vswitch can remember the MAC address of each port. In the future, the machine that receives the message will be sent to the port, instead of the port that is sent to all ports like the shared HUB, therefore, only the NIC of the machine that receives the data in the vswitch can receive the data. Of course, the broadcast packet is still sent to all ports. Obviously, the working mode of the hub also occupies the ports of other machines when two machines transmit data. Therefore, the hub determinesSame network segment at the same timeOnly two machines can communicate with each other. When the two machines connected to the vswitch transmit data, the ports of other machines are not occupied, so other ports can also be transmitted simultaneously. This is the difference between a vswitch and a HUB. a hub can send data to only one machine at a time and all machines can receive the data, as long as it is not a broadcast data switch, data can be transmitted to the machine at the same time and the data is private.
2. Network Card Working Principle
Let's talk about how the network adapter works. The NIC receives the transmitted data. The monolithic program in the NIC first receives the destination MAC address of the Data header, and determines whether to receive the data according to the receiving mode set by the NIC driver on the computer, the CPU is notified of the interruption signal generated after receiving the message, and the CPU is deemed to be discarded if the message is not received. Therefore, the NIC is truncated because the computer does not know the data to be received. When the CPU gets an interrupt signal, the operating system calls the driver to receive data based on the NIC interrupt program address set in the NIC Driver. After the driver receives the data, it puts the data into the signal stack for the operating system to process.
3. How Does lan work?
Data is transmitted in a small Frame unit on the network. frames are composed of several parts, and different parts perform different functions. (For example, the first 12 bytes of Ethernet are the Source and Destination addresses, which tell the network the source and destination of the data. Other parts of the Ethernet frame store the actual user data, TCP/IP packet header, or IPX packet header ).
The frame is formed by a specific network driver and then sent to the network cable through the NIC. The opposite process is executed at one end of the target machine through a network cable. The ethernet card of the acceptor captures these frames, notifies the operating system of the arrival of the frames, and then stores them. In the process of transmission and receipt, the sniffer will cause security problems.
Generally, all network interfaces of the same network segment in the LAN can access all data transmitted on physical media. Each network interface should have a hardware address, this hardware address is different from the hardware address of other network interfaces in the network. At the same time, each network must have at least one broadcast address. (Representing all interface addresses). Under normal circumstances, a valid network interface should only respond to the following two data frames:
1. The target area of the frame has a hardware address that matches the local network interface.
2. The target area of the frame has a broadcast address ".
When the above two data packets are received, the NIC generates a hardware interruption through the CPU, which can cause the attention of the operating system, and then transmits the data contained in the frame to the system for further processing.
When HUB is usedWhen a user sends a packet, the packet is sent to all available machines on the LAN. In general, all machines on the network can "listen" to the traffic passed, but do not respond to messages that do not belong to them (in other words, machine A does not capture data belonging to machine B, but simply ignores the data ).
If the network interface of a machine in the LAN is in promiscuous mode (that is, the network adapter can receive all the packets it receives), it can capture all the packets and frames on the network, if a machine is configured in this way, it (including its software) is a sniffer.
When a vswitch is usedUnder normal circumstances, data packets from other hosts will not appear on the local network interface, so data packets from other hosts cannot be sniffed. Of course, some special methods can be used for sniffing.
4. Sniffer Principle
After introducing the previous content, we can describe the Sniffer principle. First, you need to know that SNIFFER must capture the information of packets that must be received by physical signals. Obviously, as long as the NIC is notified to receive all packets it receives (generally called the hybrid promiscuous mode: All devices on the network listen to the data transmitted on the bus, it's not just their own data .),All packets in the CIDR block can be received under the HUB, but only their own packets can be added to the broadcast package under the switch..
To receive packets from someone else under a vswitch, send them to the port of your machine. The switch remembers that the MAC of a port is to remember its source MAC after receiving data from the port, just like the ARP list corresponding to the IP address of a machine and MAC, the vswitch maintains a table of physical ports and MAC ports, so it can fool the vswitch. You can send a packet to set the source MAC to the MAC of the machine you want to receive. Then, the switch maps the physical port of your machine's network cable to that MAC, the package sent to the MAC will be sent to your network cable plug-in, that is, your network card can be Sniffer. Note that the physical port and MAC table are dynamically refreshed like the ARP table on the machine. After the machine sends packets, the HUB will remember its port again, so the two are competing, this can only be used when listening to a few packets.
IP-based Intranet Communication can use ARP to spoof other machines and send them to your machines. If you want to avoid affecting the communication between the two parties, you can spoof the two parties, sending it to your machine is forwarded by your machine, which is equivalent to a man-in-the-middle, which is easily implemented by ARP and programming. Many devices now support remote management. Many switches can set a port to listen to other ports, but this requires management permissions.
With this, you can set the network connection of a computer to accept data on all Ethernet buses to implement Sniffer. Sniffer is a kind of software that can set the local network card status to 'mixed'. When the network card is in this "hybrid" mode, the network card has a "broadcast address ", it generates a hardware interruption for each frame to remind the operating system to process each packet that flows through the physical media. (The vast majority of network cards can be set to the hybrid mode)
It can be seen that Sniffer works at the bottom layer of the network environment. It intercepts all the data being transmitted over the network and can analyze the data in real time through corresponding software processing, then, the network status and overall layout are analyzed. It is worth noting that Sniffer is extremely quiet and is a negative security attack.
The functions and design of the sniffer are quite different. Some can only analyze one protocol, while others may be able to analyze several hundred protocols. Generally, most sniffing devices can analyze at least the following protocols: standard Ethernet, TCP/IP, and IPX.
Hazards caused by sniffer
Sniffing is used at the underlying layer of the network infrastructure. Generally, users do not directly deal with this layer, and some do not even know that this layer exists. Therefore, it should be said that the harm of Sniffer is quite large. Generally, the use of Sniffer is the beginning of network spoofing. Possible hazards:
The sniffer can capture passwords. This is probably the reason why the vast majority of users use Sniffer illegally. Sniffer can record the user name and password transmitted in plaintext. Ability to capture private or confidential information. For example, financial accounts, many users can easily use their own credit card or cash accounts online, however, Sniffer can easily intercept user names, passwords, credit card numbers, end dates, accounts, and pin sent online. For example, by intercept data packets, intruders can easily record sensitive information transmitted between others, or simply intercept the entire email session process. It can be used to endanger the security of network neighbors, or to obtain high-level access permissions to snoop on low-level protocol information.
This is terrible. by recording the underlying information protocol, for example, record the network interface address, remote network interface IP address, IP route information, and the byte sequential number of TCP connections between two hosts. This information is taken into account by illegal intrusions and will cause great harm to network security. Generally, Sniffer is used to collect this information for only one reason: he is about to perform a spoofing (generally, IP Address Spoofing requires you to accurately Insert the byte sequence number of the TCP connection). If someone is very concerned about this issue, Sniffer is just a prelude to him, there will be a lot of problems in the future. (For advanced hackers, this is the only reason to use Sniffer)
In fact, if an unauthorized sniffer exists on the network, it means your system has been exposed to others.
Generally, Sniffer only sniffing the first 200 to 300 bytes of each packet. The user name and password are included in this part, which is the real part of our concern.
Simply placing a sniffer and placing it anywhere will not work. Place the sniffer in the vicinity of the attacked machine or network to capture a lot of passwords. Another better way is to put the sniffer on the gateway. Sniffer usually runs on a vro or a host with the vro function. In this way, you can monitor a large amount of data. Sniffer is a second-level attack. Generally, attackers have already entered the target system and then use Sniffer to obtain more information. In this way, the process of identity authentication between the network and other networks can be captured.