What about Packet sniffing?

// ---------------------------------------------------------------------- <Br/> // What about Packet sniffing <br/> // Translation: GAA. RA (zhoufan # yahoo.cn) <br/> // reproduced at will, but please keep this part of the information, thank you <br/> // original address: http://cs.baylor.edu /~ Donahoo/tools/sniffer/<br/> //--------------------------------------------------------------------

I. Packet sniffing BASICS (http://cs.baylor.edu /~ Donahoo/tools/sniffer/packetsniffers.htm)
1. What is data packet sniffing?
A Data Packet sniffing program is a program that records all data packets transmitted between networks through a specified network interface, a specified computer. it can be used to check and correct network problems, or to extract sensitive information such as credentials for unencrypted logon sessions.

2. sniffer)
A sniffing program is a program that monitors and analyzes network information flows and detects network bottlenecks and problems. With this information, a network administrator can maintain efficient information flow.
A sniffer program can also be used to illegally capture data transmitted over the network. A network route reads each packet passing through it and determines whether the packet is sent to the route's own network. such a router with the sniffing function may be able to read data in data packets like the sender and receiver.
The word "sniffer" sometimes refers to programs used to analyze data rather than network information flows. For example, a database can be analyzed by such programs (a database cocould be analyzed for certain kinds of duplication ).

3. What is a sniffer and how it works?
Unlike telephone circuits, computer networks share communication channels. this is because it is too costly to create a local loops in a converter (or hub) for each communication computer. sharing means that the computer can receive information sent to other machines. capturing information through the network is called sniffing.
The most popular way to connect a computer is through Ethernet ). the Ethernet protocol works by sending data packets to all hosts on the same line. the packet header contains the correct address of the target machine. it is assumed that only machines with matched addresses accept data packets. if a machine receives all data packets regardless of the address set in the packet header, the machine is in promiscuous mode ).

4. sniffer
In a common network environment, because account and password information are transmitted in plaintext over Ethernet, therefore, an intruder can easily enable the computer to enter the hybrid mode after obtaining the root permission and compromise other computers on the same network through sniffing.
A program or device can monitor data circulating on a network. the sniffer can use its valid network management function or steal network information. unauthorized sniffing will be extremely dangerous for network security because they cannot be detected at the same time on the network) injected anywhere (Sniffing point ).
In the network of TCP/IP sniffer packets, they are often called packet sniffer.

5. Others
The popularity of Packet sniffing comes from the fact that he can see anything (data packets). Typical content of sniffing includes:
SMTP, pop, and IMAP communication information-allows intruders to read the current email.
Pop, IMAP, HTTP basics, Telnet AUTHENTICATION-read the password from the line transmission text.
SMB, NFS, and FTP communication information -- reads files from the line.
Sqldatabase -- reads financial business transactions and credit card numbers.

Ii. Sniffing (Network eavesdropping, sniffing) FAQ (http://cs.baylor.edu /~ Donahoo/tools/sniffer/sniffingfaq.htm)
1. Basics

1.1 What is "packet sniffer "?
Packet sniffing is a eavesdropping device inserted into the network and eavesdropping on network communication. just like phone eavesdropping allows the FBI to listen to conversations between others, a "sniffing" program allows someone to listen to conversations between computers.
However, computer sessions are composed of apparently random binary data. therefore, the network listening program also contains a functional component for protocol analysis, allowing them to "decode" computer communication information to make it meaningful.
Compared with phone eavesdropping, sniffing has a favorable condition that many networks use "shared media ". this means that you do not need to break into the wiring room to install your eavesdropping device. You can snoop it on almost any network connection to eavesdrop your neighbors. this is called the "hybrid mode" sniffer. however, this "sharing" technology is rapidly developing towards "Exchange" technology, and it is no longer possible to conduct mixed-mode sniffing in the exchange technology, which means you have to really access the (network) online.
1.1.1 "packet sniffer" registered)

1.2 What is the sniffer?
The sniffing program has been in two forms for a long time. Commercial Data Packet sniffing program is used to help maintain the network. Underground Data Packet sniffing Program (underground packet sniffers) is used to intrude into the computer.
Typical features of this type of eavesdropping program include:
1) the passwords and usernames are automatically filtered from the plain text transmitted by the network. Hackers/hackers are used to intrude into the system.
2) convert (transmitted) data into a human-readable format so that communication information can be read.
3) fault analysis is used to identify network problems, such as why computer A cannot communicate with computer B.
4) performance analysis is used to identify network bottlenecks.
(5) network intrusion and password theft detection to discover hackers/hackers (refer to the http://www.robertgraham.com/pubs/network-intrusion-detection.html)
6) network communication logs, creating logs that cannot be changed or eliminated by hackers

1.3does a node in the Internet allow me to insert and view all communication information?
No. the connection to the Internet is more like a fisherman's network. The communication information flows through a grid, and no point can see all the information. the Internet is built to withstand nuclear bomb attacks-and it remains effective when some nodes fail. this also prevents any sniffing.
To solve this problem, you have two machines that communicate with each other in your own office and are all in the Internet. they use a straight line to communicate, and the communication information does not pass through part of the external public internet. any communication follows a similar "minimum cost path" principle anywhere.
It indicates that the sniffing is performed in an internal network, and not all nodes can be sniffed)

How does 1.4 sniffing/eavesdropping work?
1.4.1 how to eavesdrop in network communication?
Ethernet is built on "sharing" principle: All machines share the same network cable in a local area network.
This means that all machines can "see" all communications are on the same line.
Therefore, the Ethernet hardware contains a "filter" that ignores all communication information that does not belong to it. It does this by ignoring frames that do not match all MAC addresses.
A eavesdropping program closes this filter and enables Ethernet hardware to enter the "mixed mode". Therefore, Mark can see the communication information between Alice and Bob as long as they are on the same Ethernet line.
1.4.2 what is the component of a packet sniffer?
1) Hardware
Most products work on labeling network adapters, although some require specific hardware. If you use special hardware, you can analyze hardware faults such as CRC errors, potential differences, cable programs, and packet capture drivers.
2) packet capture driver
This is the most important part. It captures network communication information from the line, filters out the communication information you need, and stores it in the buffer zone.
3) buffer zone
Once data frames are captured from the network, they are stored in the buffer zone. there are many packet capture modes: capture until the buffer is full, or use the latest data in the "loop" buffer to replace the oldest data. some products can use hard disks as buffers instead of memory-based buffers.
4) Real-Time Analysis
Started by Network General sniffer, this feature performs a small amount of analysis when capturing data frames. this can identify network performance problems and faults during packet capture. many developers began to add similar features to their products. Network Intrusion Detection Systems did so, but they are mainly used for hacker behavior rather than fault/performance analysis.
5) Decoder
As discussed in 1.5, this section displays network communication information in the instruction text, and an analyst can find out what happened.
6) edit/send data packets
Some products include functions that allow you to modify your own network data packets and send them to the network.

1.5 some things related to MAC addresses
1.5.1 what is an Ethernet MAC address?
Although many machines may share a separate Ethernet network cable, they must have dedicated identification numbers. this does not happen in the dial-up modem. it assumes that any data you send to the modem is sent to the other end of the telephone line. however, when you send data over an ethernet cable, you have to find out which machine you want to send the data. of course, in many cases, only two machines communicate with each other, but you must remember that Ethernet is designed on the premise that a large number of computers share the same network cable.
This is done by writing the only 12 hexadecimal numbers into each piece of Ethernet hardware. 1.5.4 explains how to discover the Ethernet MAC address of your computer.
To better understand why this is so important, you may need to review section 1.5.4. ethernet is designed to carry not only TCP/IP communication information, but TCP/IP is designed to run on other lines (for example, Ethernet dialing lines are not used ). for example, many home users install "netbeui" to share files and printers. Because it has nothing to do with TCP/IP, Internet hackers cannot obtain their hard disks (files ).
Raw data transmission and receipt over Ethernet are managed by Ethernet devices. you cannot simply send processed data on a network cable. you must first understand what Ethernet means. in the same way, you cannot directly put the mail into your mailbox. You must first encapsulate it, write the address, and paste the stamp.
The following is a simple explanation of how this works:

Alice's IP address is 10.0.0.23.
Bob's IP address is 192.168.100.54.
To communicate with Bob, Alice needs to generate an IP packet from 10.0.0.23 --> 192.168.100.54
When a data packet is transmitted over the Internet, it will be transmitted from one route to another. therefore, Alice must first pass this packet to the first route. each route entry on the route entry checks the destination IP address (192.168.100.54) and determines the correct route entry.
In the chart, we convert the Internet into a "Cloud" shape. all Alice knows is to locally connect to the first route, and Bob's final IP address. alice does not know about the structure of the Internet and the routing of data packets.
Alice must communicate with the route to send data packets. She uses Ethernet to complete this. An Ethernet data frame is as follows:

This means that the TCP/IP stack on Alice's machine may generate a 100-byte data packet length (20 bytes of IP information, 20 bytes of TCP information, and 60 bytes of data ). the TCP/IP stack sends it to the Ethernet module. The Ethernet module adds a 14-byte destination MAC address, the source MAC address, setting the ethertype field of the data packet to 0x0800 indicates that the TCP/IP stack at the other end should process this frame. at the same time, It also adds a 4-byte CRC Check value at the end of the packet (used to determine whether the correct data is received)
Then the adapter sends a bit stream to the network cable.
All the hardware adapters on the same network cable can see this frame, including the router adapter, packet sniffer, and other machines. either way, the correct adapter has a hardware chip that can compare the frame's "target Mac" and its own MAC address. if they do not match, the frame will be discarded. this is done at the hardware level, so the machine where the adapter is located will not be aware of this process.
When the router's Ethernet Adapter sees this frame, it receives it from the network cable and removes the first 14 bytes and the last 4 bytes. after viewing the 0x0800ethertype domain, it decides to send it to the TCP/IP stack for processing (this process generally sends it directly to the next route on the target channel)
In the above situation, only the vro should see the Ethernet frame, and all other machines should ignore it. However, the eavesdroppers corrupt this rule and copy the frame from the network.
Refer to Charles Spurgeon's Ethernet-related sites: http://wwwhost.ots.utexas.edu/ethernet/ethernet-home.html
1.5.2 what does "Mac" mean?
Mac stands for media storage control.
The Ethernet logic includes three sub-layers: PHY (physical layer), Mac, and LLC (Logical Link Control ). the ethernet address is considered part of the MAC Sub-layer. the physical layer is responsible for the line, the formatted data transmitted by Mac to the line, and the LLC is responsible for forwarding packets to the line, for example.
1.5.3what is the MAC address format?
The Ethernet MAC address is a 48-bit value. this value is divided into two halves. The first 24 digits are used to identify the manufacturer of the NIC (Ethernet Board), and the other 24 digits are a serial number provided by the manufacturer. this ensures that no two Enis have the same MAC address (unless the manufacturer is confused ). duplicate MAC addresses may cause problems. Therefore, it is very important to ensure uniqueness. this 24-digit number is called the OUI (organizationally unique identifier is an organized and unique identifier)
However, oui is only 22 characters long, and two of them are used for other purposes. A single bit indicates that this address is a "broadcast/multicast" address, the other bit indicates whether the adapter is reassigned to "local management address" (the network administrator reallocates the MAC address to adapt to certain local policies)
For example, you will often see the MAC address 03: 00: 00: 00: 00: 01 on the line. the first byte contains the special bits in the binary representation of 00000011 (the rest is 0 ). this is a special broadcast packet sent to all machines running the netbeui protocol (this protocol is generally installed on Windows machines to achieve local file sharing without using TCP/IP as the transfer)
IEEE maintenance manufacturers/OUI code list: http://standards.ieee.org/regauth/oui/
1.5.4 what is my own ethernet address (MAC address?
Win9x: Run winipcmd.exe
Winnt: Run ipconfig/All.
Linux: run the ifconfig command
Solaris: Run ARP or netstat-P.
1.5.5 what is the ethernet address of the machine on which I am communicating?
Run ARP-a to view WINNT and Unix commands.
1.5.6 can I change my mac address?
Yes. This may be important in some cases.
First, you can cheat (about other machines) your address. remember that the MAC address is only part of the frame data. therefore, when you send an Ethernet frame to a line, you can overwrite your own content in these frames. of course, you need to run a program to complete this step.
In addition, most adapters allow you to reconfigure the MAC address during runtime. For example, some NICs allow you to reconfigure this address in the Windows Control Panel.
Finally, you can re-install the NIC address (such as EEPROM. you need a program/hardware to know the specific chip used by the NIC. this will permanently change the NIC so that it uses the new address.

1.6 can I sniff two people without using their communication lines?
In other words, you are asking:
1) Alice and Bob are in New York, one in Texas, and they are communicating
2) You are in California, not near them.
3) You want to eavesdrop on their communication
The answer is of course "no". There is no possibility. You must be able to use their communication lines for eavesdropping. Just like phone eavesdropping, just like anywhere.
About remote access to communication lines:
Suppose you are a very strong hacker/hacker who can remotely access those communication lines. A typical example is:
1) invade Alice or Bob's computer and install sniffing software that you can remotely control.
2) intrude related ISP and install sniffing Software
3) find the box that the ISP supports sniffing (find a box at the ISPs that supports SNIFFING), such as rmon probe and DSS (Distributed sniffing system)
4) Bribe ISP staff and intrude into physical devices to install sniffer.
Near the communication line:
In some cases, such as cable-modem, DSL, and Ethernet VLANs, You can redirect the communication information between two people to your own machine. this is because you are not directly in the communication path. You can occasionally change this path so that the data passes through your computer. this seems like this concept. You Can slightly change the flow of water, but it cannot be changed far away.
Rootkits and remote management Trojan:
Another possibility is to intrude into a person's machine and install the sniffer program (how to intrude beyond the scope of this document ). in UNIX, sniffing programs are part of most "rootkits. in Windows, sniffing is part of some remote management Trojans.
Theoretically, these programs can be used to sniff common communication information, but they are often simply configured as hacker sniffing passwords and emails.