Previous Section  < Day Day Up >  Next Section

2.3 Packet Sniffing

One of the most important techniques covered in this book is how to sniff or capture network packets for closer analysis. tcpdump extracts packets traversing the network and either displays them in real-time—a term open to interpretation and highly dependent on network bandwidth speed—or else tcpdump logs the packets to the system for later analysis. This process is called packet sniffing. Understanding a packet's basic composition can give a preliminary indication of whether a packet is good or bad—whether it is benign and should be logged or simply ignored, or flagged and the administrator alerted.

In normal network operations, a Network Interface Card (NIC) receives only traffic addressed to it. The card sees all the traffic on the wire; it just passes traffic destined for itself on to the operating system. In order to sniff packets on the network, the network device must first be able to see all packets passing through. To support packet analysis, most network interfaces provide a promiscuous mode. Promiscuous mode "tells" the NIC to pass all the packets it sees on the wire to the network driver, even if they are not directed to the local system. However, before you can start looking at the packets rushing by your NIC, you must think a bit about your network. If your network uses switches (or even dual-speed hubs), you still won't see all the traffic. A switch sends each node only the packets that are addressed to it. Promiscuous mode doesn't help, because your NIC never gets to see the packets. The solution is to enable port monitoring (called a SPAN port in the Cisco world) on the switch, or (as a temporary measure), replace the switch with a hub.

Promiscuous mode on a network interface card is not a bad thing unless it is enabled on a machine that is normally not permitted to sniff packets. Be wary of any machine that has promiscuous mode drivers enabled and is actively checking network packets. A tool such as SniffDet is useful for tracking down machines that are running in promiscuous mode or capturing and logging packets. Promiscuous machines may indicate that a cracker is already inside your network and looking for sensitive data or passwords within those packets. If you closely manage network security, no one should be sniffing packets without your approval.

    Previous Section  < Day Day Up >  Next Section