The principle sniffer&wireshark of network sniffer tool

Today, I suddenly think of this problem: Wireshark can catch the other host's package, because of the shared Ethernet; So now switched Ethernet how to use Wireshark?

Read some information on the Internet, organized the following article

Sniffer (sniffer) is a commonly used method of collecting useful data, which can be a user's account number and password, which can be some commercially confidential data, etc. Snifffer can be used as a device to capture network messages, as ISS defines for sniffer: Sniffer is a tool that uses the computer's network interface to intercept data packets destined for other computers.

The proper use of sniffer is primarily to analyze network traffic in order to identify potential problems in the network of interest. For example, suppose a segment of the network does not run very well, the message is sent slowly, and we do not know where the problem is, we can use the sniffer to make the exact problem judgment. In a reasonable network, the existence of sniffer is important to the system administrator, the system administrator through the sniffer can diagnose a large number of invisible fuzzy problems, these problems involving two or more computers of abnormal communication some even involve a variety of protocols, with the help of sniffer% 2C system administrator can easily determine how much traffic belongs to which network protocol, which is the main communication protocol host, which host is the most communication destination, how much time the message is sent, or the transmission interval of each other's host, etc., this information for the administrator to determine the network problems, Managing the network area provides invaluable information.

The sniffer is different from the general keyboard capture program. The keyboard capture program captures the key values entered on the terminal, while the sniffer captures the real network messages.

In order to have an in-depth understanding of the working principle of sniffer, let us introduce briefly the principle of hub and network card.

1. Preliminary knowledge hub (hub) and switch working principle

Because many networks such as Ethernet (the common hub-connected intranet) are based on the bus, which is physically broadcast, that is, when one machine sends data to another machine, the hub receives and then sends the data it receives to the other (the one that is not sent) to each port, So the network card of all the machines in the same network segment under the hub can receive data.

The internal monolithic program of the switch can remember the MAC address of each port, in the future, which machine will be sent to which port, instead of sending all the ports like the shared hub, so only the network card of the machine receiving the data can receive the data, and the broadcast packet will be sent to all the ports. Obviously the working mode of the hub makes it possible for the two machines to transmit data while the ports of other machines are occupied, so the hub determines that the same network segment can only have two machines for data communication at the same time, while the other machines ' ports are not occupied by the two machines connected on the switch. So the other mouth can also be transmitted simultaneously. This is the difference between the switch and the hub two places, the hub is only one machine at a time to send data and all the machines can receive, as long as not broadcast data switches can have the machine at the same time the data transmission and information is private.

2, network card working principle

Let's talk about how the NIC works. The network card receives the transmitted data, the single-chip program in the network card receives the destination MAC address of the data head first, according to the computer network card driver set up the receiving mode to determine that should not receive, think that the receive is received after receiving interrupt signal notification CPU, think should not receive discarded regardless, So should not receive the data network card is truncated, the computer does not know at all. When the CPU gets interrupt signal, the operating system calls the driver to receive the data according to the network card interrupt program address set in the network card driver, the driver receives the data and puts it into the signal stack for the operating system to process.

3. How LAN Works

The data on the network is a small frame (frame) of the transmission of the frames are composed of several parts, different parts to perform different functions. (for example, the first 12 bytes of Ethernet hold the source and destination addresses, which tell the network: where and where the data is coming from.) Other parts of the Ethernet frame hold the actual user data, the TCP/IP header, or the IPX message prime).

Frames are molded by a specific network driver and then sent to the network cable via the NIC. The opposite process is performed at one end of the destination machine by reaching their destination machine via a network cable. The Ethernet card of the receiving end machine captures these frames and tells the operating system that the frames arrive and then stores them. In this process of transmission and reception, the sniffer can cause security problems.

Typically all network interfaces in the same network segment on a local area network (LAN) have the ability to access all data transmitted on the physical media, and each network interface should also have a hardware address that differs from the hardware address of other network interfaces that exist on the network, and at least one broadcast address per network. (on behalf of all interface addresses), under normal circumstances, a legitimate network interface should only respond to such two data frames:

1. The target region of the frame has a hardware address that matches the local network interface.

2. The target area of the frame has a "broadcast address".

When a packet is received in both cases, the NIC generates a hardware interrupt through the CPU, which can cause the operating system to notice and then transmit the data contained in the frame to the system for further processing.

when the hub is used, the message is sent to all available machines on the LAN when the user sends a message. In general, all the machines on the network can "listen" to the traffic that passes through, but do not respond to messages that do not belong to them (in other words, machine A does not capture data belonging to Machine B, but simply ignores the data).

If the network interface of a machine in the LAN is in promiscuous (promiscuous) mode (that is, the NIC can receive all the packets it receives), it can capture all the packets and frames on the network, and if a machine is configured in such a way, it (including its software) is a sniffer.

when the switch is used , the other host's packets will not be present on the local network interface, then the packets of other hosts cannot be sniffed. Of course, some special methods can be used for sniffing.

4, Sniffer principle

After the introduction of the previous content, you can explain the principle of sniffer. First, be aware that what sniffer wants to capture must be a message that the physical signal can receive. Obviously just notify the NIC to receive all the packets it receives (commonly called promiscuous promiscuous mode: All devices on the network listen for data that is transmitted on the bus, not just their own data. ), All packages of this segment can be received under the hub, but only their own packages plus the broadcast packets under the switch .

To receive other people's packages under the switch, send them to the mouth of your machine. The switch remembers the Mac of a port by receiving data from this port and remembering its source Mac, like a machine's IP corresponding to the MAC's ARP list, the switch maintains a physical port with a Mac table, so the switch can be spoofed. Can send a package to set the source Mac is the Mac you want to receive the machine, then the switch will put your machine's network cable plug the physical port and that Mac corresponds to, and later sent to the Mac package sent to your network cable socket, that is, your network card can be sniffer to. Note that the physical port and the Mac table and the machine's ARP table is dynamic refresh, the machine after the exchange of the hub and then remember his mouth, so in fact, two in contention, this can only be used to listen to a small number of packages on the occasion.

Intranet-based communication can use ARP to deceive other people's machine to send to your machine, if you want to not affect the original two-party communication, you can deceive the two parties, let it all sent to your machine and forwarded by your machine, equivalent to do the middleman, which is easy to implement with ARP plus programming. And now many devices support remote management, there are many switches can set a port to listen to other ports, but this will have to manage permissions.

With this, you can set up a computer's network connection to accept data on all Ethernet buses for sniffer. Sniffer is a kind of software that can set the state of the local network card to ' promiscuous ', when the network card is in this "promiscuous" mode, the network card has "broadcast address", it creates a hardware interrupt for each frame encountered to remind the operating system to handle each packet flowing through the physical media. (most NICs have the ability to set up promiscuous mode)

Visible, sniffer work in the network environment of the bottom, it will intercept all the data that is being transmitted on the network, and through the corresponding software processing, can analyze the content of these data in real-time, and then analyze the network status and overall layout. It is worth noting that the sniffer is extremely quiet and it is a passive security attack.

Sniffer is a lot different in terms of function and design. Some can only analyze one protocol, while others may be able to analyze hundreds of kinds of protocols. In general, most sniffers can at least analyze the following protocols: Standard Ethernet, TCP/IP, IPX.

harm caused by sniffer

Sniffing are at the bottom of the network infrastructure. Typically, users do not interact directly with the layer, and some do not even know that this layer exists. So, it should be said that the harm of sniffer is quite large, usually, the use of sniffer is the beginning of deception in the network. The hazards it may cause:

The sniffer is able to capture the password. This is probably the most reason for illegal use of sniffer, sniffer can record the user name and password transmitted in clear text. The ability to capture proprietary or confidential information. For example, financial accounts, many users are very relieved to use their own credit card or cash account, however, sniffer can easily intercept the online transmission of the user name, password, credit card number, due date, account number and PIN. such as peeping confidential or sensitive information data, by intercepting the packet, the intruder can easily record the sensitive transmission of information between others, or simply intercept the entire email session process. Can be used to compromise the security of a network neighbor, or to get a higher level of access to spy on low-level protocol information.

This is a terrible thing, through the underlying information protocol records, such as recording the network interface between the two hosts address, remote network interface IP address, IP routing information and TCP connection byte sequence number. This information will be of great harm to the network security after the illegal invasion of the person, usually someone uses sniffer to collect this information only one reason: he is going to cheat (the usual IP address spoofing requires you to accurately insert the TCP connection Byte order number), if someone is very concerned about this problem, Then sniffer is only a prelude to him, and the problems ahead are much bigger. (For advanced hackers, this is the only reason to use sniffer.)

In fact, if an unauthorized sniffer is present on the network, it means that your system is exposed to someone else.

The general sniffer only sniffs the first 200 to 300 bytes of each message. The user name and password are included in this section, which is the real part of our concern.

Simply placing a sniffer and putting it anywhere is not going to work. Placing the sniffer near the attacked machine or network will capture a lot of passwords, and a better way is to put them on the gateway. Sniffer are typically run on routers, or on hosts that have router capabilities. This makes it possible to monitor large amounts of data. Sniffer is the second level of attack. Usually an attacker has entered the target system and then uses sniffer to get more information. If so, the process of identifying the network and other networks can be captured.

The principle sniffer&wireshark of network sniffer tool