From -- http://blog.csdn.net/zhangnn5/article/details/6810347
Reading this articleArticleBefore that, I suppose you already know the TCP/IP protocol, ARP protocol, What Is sniffer, and other basic network knowledge.
In a General Lan, there are usually two access methods, one is hub access (The Hub here refers to the general hub ), one is direct access from a vswitch (the vswitch here is a relatively advanced vswitch, which is not included in the old-fashioned vswitch ). In a hub-connected network, data is transmitted in broadcast mode. At this time, as long as a host sets its network adapter to promiscuous mode ), you can sniff the data of the entire network. This article does not discuss the network environment's sniffer and anti sniffer methods.If you want to sniffer the network environment for direct access through vswitches and how to
Sniffer makes a rough analysis.
We know that a computer must have two addresses to access the network. One is the NIC address, which is called the MAC address. It is fixed in the NIC. In Ethernet, we use MAC addresses for data transmission and data exchange. In an Ethernet environment, data is transmitted by frame. Each data frame contains its own MAC and destination MAC address information. The other address is the IP address that is usually referred to as the IP address, which is defined at the network layer, each network computer has one or more IP addresses, which are virtual data and can be changed at any time. The IP address and MAC address are used at the same time. During data transmission, a complete TCP/IP packet needs to be encapsulated by Ethernet, and the data is divided into frames, finally, it is transmitted to the target computer through the physical layer. When encapsulating the upper-layer TCP/IP packet over Ethernet, it needs to know the source MAC address and destination MAC address, but we can only give the IP address of the other party, in this case, a protocol is required to support IP-to-Mac conversion. This is ARP, Address Resolution Protocol. in the LAN, ARP is sent through broadcasting. For example, if my machine IP address is 192.168.7.110 (A), you need to know the MAC address of the machine 192.168.7.119 (B, from machine a, an ARP packet will be broadcast, which carries the IP address of machine B. If machine B receives the ARP packet, it will return an ARP packet, contains the MAC address of the response. After receiving the ARP packet, A obtains the MAC address of B. At this time, Ethernet can encapsulate the TCP/IP packet and start normal data transmission. For example:
D: \> ARP-
View plain
we can clearly see that the host does not have the MAC address corresponding to this IP address before it communicates with 192.168.7.119. However, after communication, now we know the MAC address of the other Party. In Windows, the MAC address of the other party is stored in the ARP cache.
to save network resources and communication time, most operating systems keep an ARP cache table that records the IP addresses and MAC addresses that were previously accessed, once there is a new ARP broadcast in the LAN, corresponding to an IP-to-Mac record, the ARP cache table will be refreshed, And the MAC address will be replaced with the MAC address defined in the new broadcast package, at this time, there was a problem. During the update, the system did not check whether it was actually broadcast by the machine, malicious users in the LAN use spoofing to change the network path and replace the real MAC address with their own MAC address. This method is called ARP spoofing.
when the switch processes data, It queries the port to which the MAC address packet that meets the requirements based on the data table of a Mac-to-port in its own machine. This table exists when the switch is started. The MAC address of the corresponding port is recorded during the first data transfer on each port. by sending fake mac address data packets to the vswitch, The vswitch can be spoofed to refresh its MAC address to the port data table. Assume that host a is connected to Port 2 and that I have port 4, to sniffer the data of host a, I need to forge an ARP packet and tell host a that the MAC address of host a is at four ports, then the switch will forward the data originally sent to host a to four ports. At this time, I can monitor the data transmission of host, this is the process of ARP spoofing sniffer Based on the exchange network.
ARP spoofing. Generally, Sniffer has several methods:
1. that is, because a cannot receive data, it will re-release the ARP package. As a result, sniffer is easy to expose, and the effect is not good, a will lose packets, similarly, your sniffer won't capture all the data.
2. Initiate "man-in-the-middle" eavesdropping. An attacker can insert a transit circuit between two communication hosts. In this way, the attacker can not only sniffer data to the two hosts, but also do not affect the communication between the two hosts. We assume that X is the attacker's machine, and A and B are the target machines.
If You Want To launch an attack, you must first send an ARP packet to host a so that host a considers the MAC address corresponding to host B's IP address as Host X, at the same time, an ARP packet is sent to machine B to make machine B think that the MAC address of machine A's IP address is host X, for example:
3. Mac Flood Attack
By sending a large number of forged MAC address packets quickly (such as more than 1000 threads), the Mac-port table of the switch is full, but normal data is not discarded, most switches send data in the same way as hub: broadcast. At this time, you can set the NIC to the hybrid mode on any machine in the network to sniffer any data you want to listen.
* Note: I have not officially tested the above method. It is theoretically feasible. In fact, it remains to be verified.
The preceding describes several common ARP spoofing sniffer methods based on the switch network. How can an administrator prevent data sniffing in this way?
Strictly speaking, there is no common method to solve the problem caused by ARP spoofing. The biggest possibility is to use static ARP cache tables, because static ARP tables cannot be refreshed, then the forged ARP packet will be discarded directly. However, a static Mac table must be created for all the machines in the network. In a large network, the burden on switches is increased and efficiency is reduced. If the machine is changed, you need to manually change the MAC address table. Obviously, this method is not applicable in large networks.
Note that in windows, even if you have created a static Mac-to-IP ing table, after receiving the forced update ARP packet, it will still refresh the machine's projection table, and it will also be included by sniffer.
The advanced switch also provides the Mac binding function, specifying a port of the switch to bind with a Mac. This method can effectively prevent Mac listening in clone mode, however, the above ARP spoofing attacks are not very effective.
The most reliable method is to use third-party software. arpwatch is a free tool running on UNIX platforms. It can detect changes to all the MAC addresses in the network, once the MAC address in the network changes, it sends an email to the specified location.
Note: This article is very short. In fact, there are several other attack methods in the exchange network, such as Mac clone, and there are more than one sniffer method in the exchange network, here I will only introduce the most common sniffer method that is prone to occurrence and programming. I hope it will be helpful to you. I am at a limited level. If there is any error, please do not blame
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
