The History Of Packet Sniffing Information Technology Essay
This paper first gives an overview of packet sniffing. This section discusses how packet sniffing works, its history, and limitations. Next, it gives descriptions of three packet sniffing programs: WireShark, Snort, and Carnivore. Each of these programs offers different features and limitations. WireShark and Snort are free programs available for public use, while Carnivore is a software developed by the United States government in order to help convict criminals. Next, the paper gives a more detailed analysis of what the project demonstration of WireShark is doing, and how organizations can utilize WireShark. Next, we give our personal inputs, analysis, and evaluations of packet sniffing in terms of how organizations can use it and how organizations can be hurt by it. Finally, the paper discusses strategies organizations can take in order to protect themselves from packet sniffing software.
How Packet Sniffing Works
All network problems start at the core within packets. This is why packet analysis, also referred to as packet sniffing or protocol analysis is useful to understand the basics of information traveling across a network. Packet sniffing is a process to better understand the information encoded on data within a packet that is intercepted, scanned, and logged as it traverses across a network (Sanders, 2007). Packet sniffing is used to help maintain a network, comprehend network characteristics, discover who is using a specific network and their peak usage times, and most importantly pinpoint potential malicious attacks and activity (Sanders, 2007). Whenever you connect to the Internet, you are dialing into a network hosted by an Internet Service Provider (ISP) which communicates with other networks (Frieden, 2007). Packet sniffing allows all data within those communications between different ISPs and networks to be viewed, copied, and analyzed (Sanders, 2007).
In order to collect packets, a Network Interface Card (NIC) is first converted into promiscuous mode so that it can listen to everything passing through a network segment, not just information that is addressed to its own network (Elson, 2008).The raw binary data is then converted into human-readable form and is able to be analyzed at a very basic level (Sanders, 2007). More detailed analysis can be conducted with the use of multiple packets and comparing them based on various patterns (Sanders, 2007). However, malicious packet sniffers, also called attackers, can create an enormous security threat by implementing their knowledge and skill by gaining unauthorized access and capturing all incoming and outgoing traffic on a network, including passwords and usernames or other sensitive material.
In order to correctly analyze and interpret packets and their meanings, there is also a need to ensure the correct physical location in order to sniff or tap into the network or wire. The computer’s physical location is also a factor of how much traffic is traveling across that specific network segment (Sanders, 2007). This is done by knowing precisely the layout of all hubs, routers, and switches on that network being analyzed (Sanders, 2007). A packet sniffer is a tool; usually software or hardware, which collects, converts, and analyzes all unprocessed network traffic data (Frieden, 2007). It can capture data that it requests as well as all other data traveling across the network that are destined for other hosts. It can be filtered, meaning it only captures packets that contain certain data elements, or unfiltered, meaning it collects every piece of data with no restrictions (Elson, 2008).
Packet sniffers can be run on switched, the most common, and non-switched networks (Elson, 2008). There are three primary methods to conduct packet analysis on a switched network including port mirroring, ARP cache poisoning, and hubbing out (Sanders, 2007). In a general sense, port mirroring is done by logging onto the command-line interface of the target computer’s switch and then entering an instruction that compels the switch to copy all traffic on a certain port to another port by mirroring the first port (Sanders, 2007).
http://lh4.ggpht.com/_aUOgqE3fGXc/SlNeJEtYNjI/AAAAAAAAAqs/Cudumq3kIRE/image%5B14%5D.png
http://aviadezra.blogspot.com/2009_07_01_archive.html
Address Resolution Protocol (ARP) cache poisoning is a process that sends ARP messages to a switch or router with fake MAC (layer 2) addresses so that it can seize traffic of another computer (Sanders, 2007).
http://www.chrissanders.org/images/ARPCP/arpcp-1.jpg
Hubbing out can be done only if there is physical access to the switch the target device is plugged into and localizing that device with your analyzer system on the same network segment by plugging them both directly into a hub (Sanders, 2007).
http://www.usenix.org/publications/library/proceedings/usenix-nt97/full_papers/swartz/swartz_html/figure1.gif
http://www.usenix.org/publications/library/proceedings/usenix-nt97/full_papers/swartz/swartz_html/swartz.html
Detecting sniffing tools is nearly impossible because they are passive considering they only monitor and accumulate data rather than modify or alter it, yet some can be detected if they are not fully passive (Elson, 2008).
History & Evolution
Packet analyzing is a form of a Network Intrusion Detection (NID) and has only recently begun to become revolutionized into a useful tool for companies and businesses within the information security world (Elson, 2008). The goal of intrusion detection is to discover anomalous and malicious behavior and misuse of network assets which gained popularity around thirty years ago (Elson, 2008). Over the years, network administrators have used packet sniffing tools to observe networks and conduct analyses as well as troubleshoot problems. Since then, it has evolved into a useful defense system as well as a cause of malicious interception of sensitive data and information traveling along communication lines. As a backup measure, packet sniffing was originally meant to be used as a diagnostic tool to save data and other information being sent across the network (Elson, 2008).
The first network monitors and packet sniffer devices were called Novell LANalyser and Microsoft Network Monitor (Elson, 2008). Once the packets were captured, they could be counted to see how populated the network segment was, or analyzed in detail to see what problems are wrong with the network server (Elson, 2008). New programs developed over time such as Ethereal and improved Microsoft Network Monitor that were able to decipher communication exchanges to other interfaces (Elson, 2008). However, as more advances techniques and technologies advanced, network monitors and packet sniffers began to use their skills to attack networks and deploy schemes to obtain information that should have been kept secure. In order to combat this malicious method of packet sniffing, the use of multiple switches rather than hubs within networks has been proved to reduce the threat of successful attacks such as these because they limit packets from traveling across multiple interfaces thus stopping evil packet sniffers (Elson, 2008).
Limitations
Although the advantages of packet sniffers seem to make a positive difference on the networking world, there are also negative side effects of this process of analyzing the raw data moving to and from network interfaces. The limitations of protocol analysis involve the fact that it is extremely time-consuming to capture every packet, examine them, disassemble every one, and manually take an action based on the interpretations from the analysis (Elson, 2008). For this reason, intrusion detection systems gained popularity by transforming manual functions into automated, computational programs to analyze and decipher data collected (Elson, 2008).
Examples of Packet Sniffing Software
There are several types of packet-sniffing programs. Wireshark, Snort, and Carnivore are three well-known types of packet sniffing software. While all packet sniffing software shares certain similarities, there are slight differences, as well as advantages and disadvantages of using each packet sniffer.
Wireshark is a popular program for several reasons including the supported protocols, user friendliness, cost, and operating systems it supports. Wireshark has over 500,000 downlads each month (The Pak Banker, 2011). Wireshark works well for both technology experts and someone with little or no experience in packet sniffing. This is partly because it supports over 850 protocols, including IP and DHCP to less common and more advanced protocols such as BitTorrent and AppleTalk. Part of the reason that Wireshark is able to offer such a wide array of protocol is because it is an open source model. If a user requires a protocol not avaliable through Wireshark, the user can submit the necessary code to be included in the next version of the software (Sanders, 2007).
Wireshark is also user friendly software. The context of the program is clearly defined, making it an ideal tool for a new packet sniffer to explore. Since Wireshark is open source, the cost is free, whether a user wants to use the program for commercial or personal uses. Because Wireshark is open source, help desks are not readily available to assist users, but the Wireshark online forums provide ample information about the program making it easy to find answers to any problems that a user may encounter. Additionally, Wireshark works on all major platforms such as Windows, Linex, and Mac (Sanders, 2007). Finally, Wireshark has recently added GigaSMART technology to enhance the software. GigaSMART allows for faster time stamping and accuracy, further benefiting the Wireshark community (The Pak Banker, 2011).
Another popular program is Snort, which uses a libcap-based packet protocol. This is essentially just a simple and free program. One of the main benefits of using Snort is that it can serve as a lightweight network intrusion detection system (NIDS). Snort works by comparing network traffic against a set of rules, like other major intrusion detection software. Roesch, 1999). The next page shows an example of a Snort output.
Source: soldierx.com
A third well-known packet sniffer is Carnivore. Carnivore is slightly different than Snort and Wireshark in that the FBI designed it to help them gain access to online materials used by criminals. Carnivore has potential to help the government catch the most dangerous criminals that threaten the country. Carnivore is in its third generation of the FBI software. This software is extremely controversial because many people believe that it is an invasion of privacy. Other concerns are that giving the government this type of power would allow it to eventually have the power to seize control of the internet, in extreme cases. However, Carnivore can only be used for very specific purposes. In order to use Carnivore to obtain information about a person, there must be suspicion of fraud, internet warfare, espionage, child pornography or exploitation, and terrorism (Tyson, 2001). While Carnivore is not for commercial or personal uses, it is still an important software to understand because it has several implications in the future (Spangler, 2003).
Source: nartv.org
Utilizing Wireshark
Once Wireshark has been successfully installed and configured on a machine the first step to take in monitoring a system is to select a connection to observe. In some circumstances the design of a network can make this a somewhat difficult to task, for the purposes of this paper however things shall be simplified for ease of understanding as shown below:
Although each of the three options in the image above appears to possess a valid IPV6 address a cursory examination of the traffic for each choice reveals that only one of the three is a valid connection. The reason for this is because a network connection is constantly sending and receiving minor but pertinent data even without user input. In this case the most common type of nonuser generated packet would likely be periodic ping style requests sent to a router or hub to confirm that the device is still online and thus capable of handling user requests. Other examples of nonuser generated packages would be applications such as antivirus programs checking for software updates andpatches.
After a connection has been chosen Wireshark shall then observe and create a record of all packet traffic. In some circumstances the volume of data flow can be significant and make interpretation and analysis somewhat difficult. One means of surmounting this obstacle is to utilize Wiresharks inbuilt filters to remove irrelevant results. For the purposes of this paper we are only interested in packets utilizing the hyper text transfer protocol (HTTP), which can perhaps be most easily described as a website presentation language, and so we can sort the intercepted traffic accordingly as show below.
At first glance the above image might seem somewhat daunting and although it does provide a good deal of information, for now though only the highlighted sections are relevant. The first of these is filter bar mentioned above which allows the user to sort through intercepted packets. As can be seen at this stage Wireshark has been set to display only those packets which used the http protocol and returns only four results displaying a summary of each record/packet.
In this case we are only interested in the first record highlighted by the second box which is a request for information from a website. This can be discerned from the ‘Info’ column of the record which states that the packet is seeking to ‘GET’ information from a particular web domain. In order to determine precisely the web address being sought we need to direct our attention to third highlighted section which emphasizes a subset of the HTTP information retrieved from the packet and is reasonable straight forward. The host merely refers to the website being sought, in this case www.httprecipes.com, while the User-Agent denotes that the web browser being used in Mozilla Firefox version 3.6.15.
It should be noted that www.httprecipes.com is a site designed specifically for the purpose for of instruction in the use of packet sniffers such as Wireshark and as such has very limited security which will allow us to demonstrate another aspect of Wireshark; intercepting passwords.
The initial steps here are much the same as the ones described immediately above, a connection is selected for monitoring, during which Wireshark will intercept ingoing and outgoing data. These packets can then be sorted via an http filter to leave the user with a more manageable number of records. In this instance the record/packet we’re concerned is the one which is sending or ‘POST’ing the password to the site and as can be seen form the image below that is the one which has been selected.
The process changes when we actually attempt to locate the password data, for although the packet contains HTTP data, when it travels the network it uses the TCP standard; in essence TCP provides the blueprint for the packet structure which encapsulates the HTTP data and allows it to travel across a network. In order to make a more detailed analysis of the packets contents it must be extracted from its TCP structure and reverted to HTTP. In Wireshark this can be done by entering the Analyze menu and selecting ‘Follow TCP Stream’ which gives us the results shown below.
Here you can three distinct windows; beginning on the left is the login screen for www.httprecipes.com which helpfully provides users with the login details. An important point to consider here is that if httprecipes were an encrypted site it would not matter whether Wireshark could intercept packets because it would be unable to make sense of them without the appropriate encryption key.
As it is not encrypted however we can intercept the packet which ‘POST’s the username and password data to the to the website, this is the record highlighted by the first box. Then, after having Wireshark unload the TCP packet as explained above, we get the results of the third window where both the password and username can be clearly seen. Again, this would not have been possible if httprecipes used a secure connection as many sites do today.
Analysis of Packet Sniffing
When first being introduced to the idea of a packet sniffer, many people will inherently assume that it is a malicious device. However, upon further research it can be shown that, like all things, packet sniffing itself is amoral and it depends on the intent of the user to determine its true motives.
Many times, packet sniffing is used to better understand the data flow within a network. By mapping out the movement of data, network administrators can learn where bottlenecks are present and how to increase network efficiency. Packet sniffing can also be used as a diagnostic process for trouble shooting problems and solving them quickly and cost-effectively. This can be done by testing to see if information can get through a network and ensure that firewalls, routers, and/or switches are all working correctly. It is also interesting to note how the act of packet sniffing changes depending on the network topology. Because most environments use a switched network, they introduce much more complexity (Sanders, 2007). This is good for organizations that are attempting to thwart any malicious users.
Other uses from an organizational standpoint of packet sniffing are detecting network intrusion, discovering faulty networking hardware, and for educational purposes, among others. The helpful nature that packet sniffing affords network administrators has seen a large rise in usage over the recent past due to lower costs associated with network analysis through packet sniffing (Orebaugh).
Though packet sniffing does provide many positive aspects for organizations, there constantly exists the threat of a hacker obtaining the ability to view network activity. If there were to be an unauthorized user who was viewing network traffic, they would have the ability to see IDs and passwords and further their ability to access the network. With the ability to access the network with passwords and IDs, it will afford unauthorized users the chance to wreak havoc on an organization. Information can be altered, stolen, or destroyed and if the perpetrators have authentic login information, it will be difficult to apprehend the actual culprit.
While packet sniffing can be helpful to an organization when used ethically and by an authorized employee, the risks cannot be overlooked. Organizations should make sure that they place sufficient time and effort on protecting themselves from packet sniffing. The ways an organization can mitigate the risks of packet sniffers is subsequently discussed; however it should be stressed that these steps must be taken. Having a data breach from packet sniffing due to a lack of security will create a very negative, as well as embarrassing, situation for an organization.
How Can Organizations Protect Themselves from Packet Sniffing?
Packet sniffing is inevitably a problem that organizations will have to cope with now, and in the future. Organizations can take precautions in order to ensure that private and sensitive information will not be compromised as a result of a packet sniffer. Companies can encrypt data, use switched Ethernet networks, train employees, and use detection software in order to protect themselves from having data stolen by a packet sniffer. Ultimately, the reason that a company would want to detect a packet sniffer is to ensure that data is not compromised.
First, companies can primarily protect data by encrypting all important information. While this does not stop a person from using a packet sniffer on the network, it does prevent a hacker from being able to read the message. Companies can develop a wide range of encryption software that best fits the needs of the company. Some are more complex and encrypt the entire message, while others leave the plain-text protocol. Encryption is a safe option that allows companies to ensure that the information is safe, regardless of whether a packet sniffer has picked up on the data. However, a company should be careful in only encrypting important documents, as this could signal to the packet sniffer that this data is what the company believes is most sensitive (Moore, 2007).
Another option is for companies to use a switched Ethernet network, as opposed to having a central hub. By having a switched Ethernet network, data is no longer subject to the exposure it would have if the company used a central hub. A central hub would allow data to be broadcasted to all computers that are attached to the hub. By contrast, a switched Ethernet network would work by having a switch transport the data from one machine to the destination, without allowing other computers in the network to have access to the data. This provides more security to data than if it were to be broadcasted over the internet. However, this may not always be possible for an organization. Additionally, switch protocol are not always safe for identity management. While this solution would take care of the packet sniffing problem, it may not guard the company’s data from other threats, which is the primary goal of an organization in regards to private information (identifytheftprotection.org, 2011).
One of the main ways that a packet sniffer is set up is by embedding the software into an email, or other file that an employee may open. Hackers also use chat features and enticing websites in order to have an employee execute the program. Because of advanced social engineering tactics, training is vital to an organization in order to protect from packet sniffers. Companies should set up policies regarding emails and attachments to ensure that employees are not downloading malicious programs that have a packet sniffer attached to them. Employees who are aware of the dangers of opening emails from unknown sources are more likely to report suspicions, and not open the attachment (Moore, 2007).
Finally, there are many programs available that enable an organization to see if there is a packet sniffer. In theory, there should not be a way to detect packet sniffers, because they are passive in nature. However, this is not always the case, and there are many packet sniffer detection programs available, many of which are free. As hackers become more sophisticated, they are able to find ways around packet sniffer detection software. A company should be aware that using these tools may be a good starting point to determine whether someone is on the network, but ultimately, these programs will not protect an organization’s data. It is possible that by the time an organization detects a packet sniffer, the data is already compromised. This is why it is important to take more precautionary measures when dealing with packet sniffing (Desai, 2007).
While there are many other methods to protect an organization from a packet sniffer, it is important to note that the best protection from a packet sniffer is encrypting data. This is a policy that every organization should have in place in order to ensure data security.
Conclusions
Packet sniffing is a technology that can both harm and help organizations. Organizations should take security precautions to protect from packet sniffing. While encryption will not prevent organizations from packet sniffing occurring, it will ensure that the confidentiality of the information is maintained. Packet sniffing will continue to affect businesses in the future, as hackers become more sophisticated. It is important for an organization to protect from any security threat by integrating security training. The costs to protect an organization against packet sniffing threats are far less than the possible data security incident that results from not thoroughly protecting against these threats.
Order Now