CS529- Packet Sniffing

Dr. Modi Chirag N

cnmodi@nitgoa.ac.in
 Packet Sniffing
Packet Sniffing is the act of capturing packets of data
flowing across a computer network
Packet sniffing is to computer networks what wire
tapping is to a telephone network.
Packet sniffing is also referred as Packet Analysis or
Protocol Analysis.
The software or device used to do this is called a
Packet Sniffer or Packet Analyzer.

03/07/2025 Chirag N. Modi 2

 Packet Sniffing
It is widely used by hackers and crackers
– to gather information illegally about networks they intend to
break into.
Using a packet sniffer it is possible to capture data like
– passwords, IP addresses, protocols being used on the network
It can sees everything
– SMTP, POP, IMAP traffic - Allows intruder to read the actual email.
– POP, IMAP, HTTP Basic, Telnet authentication - Reads passwords
off the wire in clear-text.
– SMB, NFS, FTP traffic - Reads files of the wire.
– SQL database - Reads financial transactions and credit card
numbers.

03/07/2025 Chirag N. Modi 3

 Usage
Logging network traffic
Analyze network problems
Detect network intrusion attempts
Monitor network usage
Filter suspect content from network traffic
Spy on other network users and collect
sensitive information such as passwords
Debug client/server communications
Debug network protocol implementations
03/07/2025 Chirag N. Modi 4
 Packet Sniffing Methods
IP-based Sniffing
– puts the network card into promiscuous mode
– sniff all packets matching the IP address filter
– works in non-switched networks
MAC-based Sniffing
– puts the network card into promiscuous mode
– sniff all packets matching the MAC address filter
ARP-based Sniffing
– doesn’t put the network card into promiscuous mode
– This is called a man-in-the-middle attack
– Also known as ARP cache poisoning or ARP spoofing

03/07/2025 Chirag N. Modi 5

 Sniffing around the Hub
Sniffing on a network that has hubs
installed is very easy.
– The traffic sent through a hub is sent to
every port connected to that hub.
– To analyze a computer on a hub,
– plug in a packet sniffer to an empty port on the
hub
– see all communication to and from all
computers connected to that hub

03/07/2025 Chirag N. Modi 6

 Sniffing around the Hub

03/07/2025 Chirag N. Modi 7

 Sniffing in a switched network
Switch provide an efficient means of transporting data via
– broadcast, unicast and multicast traffic
Switches allow full-duplex communication
– machines can send and receive data simultaneously through switch
Packets are only sent to the port they are destined to
– according to their destination MAC addresses
– promiscuous devices aren’t able to sniff any additional
packets
Plug in a sniffer to a port on a switch can only see
– broadcast traffic

– traffic transmitted and received by that machine

03/07/2025 Chirag N. Modi 8

 Sniffing in a switched network

03/07/2025 Chirag N. Modi 9

 Sniffing in a switched network
There are three primary ways to capture traffic
from a target device on a switched network:
1. Port mirroring
2. Hubbing out
3. ARP cache poisoning

03/07/2025 Chirag N. Modi 10

 Port Mirroring
Port mirroring, or Port spanning is perhaps the easiest way to
capture the traffic from a target device on a switched network.
Must have
– access to the command-line interface of the switch
– switch must support port mirroring
– an empty port in switch into which you can plug your analyzer
Log into the command-line interface of switch
– enter a command that forces the switch to copy all traffic on a
certain port to another port
Be aware of the throughput of the ports you are mirroring
– Some switch manufacturers allow you to mirror multiple ports to
one individual port

03/07/2025 Chirag N. Modi 11

 Port Mirroring

03/07/2025 Chirag N. Modi 12

 Hubbing out
It is a technique in which you localize the
target device and your analyzer system on the
same network segment by plugging them
directly into a hub.
A perfect solution in situations
– where you can’t perform port mirroring but still
have physical access to the switch the target
device is plugged into
In order to hub out
– put the target device and analyzer into the same
broadcast domain
03/07/2025 Chirag N. Modi 13
 Hubbing out

03/07/2025 Chirag N. Modi 14

 ARP Cache Poisoning
ARP cache poisoning, also referred to as ARP spoofing, is the
process of sending ARP messages to an Ethernet switch or
router with fake MAC (Layer 2) addresses in order to intercept
the traffic of another computer.
Technique used to attack an Ethernet network which may allow
an attacker
– To sniff data frames on a LAN, modify the traffic, or stop the
traffic altogether ( known as denial of service attack)
– To forward the traffic to the actual default gateway
(passive sniffing) or modify the data before forwarding
it (man-in –the –middle attack)

03/07/2025 Chirag N. Modi 15

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 16

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 17

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 18

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 19

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 20

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 21

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 22

 ARP Cache Poisoning

03/07/2025 Chirag N. Modi 23

 What is Packet Sniffer ?
Packet Sniffer is computer software or hardware that
can intercept and log traffic passing over a digital network or
part of a network.
Sniffers are used as engines for other programs
– IDS use sniffers to match packets against a rule-set designed
to flag anything malicious or strange.
Network utilization and monitoring programs
– use sniffers to gather data necessary for metrics and analysis
– Law enforcement agencies that need to monitor email during
investigations, likely employ a sniffer designed to
capture very specific traffic.
– Tcpdump, Wireshark, Dsniff, Ettercap, Snort etc.

03/07/2025 Chirag N. Modi 24

 How Packet Sniffers work ?
Process can be broken down in to three steps
Collection
– The packet sniffer switches the selected network interface into
promiscuous mode and capture the raw binary data from the
wire
Conversion
– The captured binary data is converted into a readable form
Analysis
– Takes the captured network data, verifies its protocol based
on the information extracted
 Analyze protocol’s specific features by comparing multiple
packets as well as various other network elements

03/07/2025 Chirag N. Modi 25

 Evaluating a Packet Sniffer
Supported protocols
– Can interpret most common protocols such as DHCP, IP, etc.
User friendliness
– program layout, ease of installation, and general flow of standard
operations
Cost
– Open source or commercial product
Program support
– developer documentation, public forums, and mailing lists
Operating system support
– Not all packet sniffers support every operating system

03/07/2025 Chirag N. Modi 26

 Packet Sniffing with Wireshark
Gerald Combs, a computer science graduate of the
University of Missouri at Kansas City, originally
developed it out of necessity.
The very first version of Combs’ application, called
Ethereal, was released in 1998 under the GNU Public
License (GPL).
Combs and the rest of the development team
rebranded the project as Wireshark in mid-
2006.

03/07/2025 Chirag N. Modi 27

 Packet Sniffing with Wireshark
Wireshark
– is used for network troubleshooting, analysis, software
and communications protocol development, and
education.
– compare to Tcpdump it has a graphical front-end, and
many more information sorting and filtering options
– is open source released as free software under the GPL.
Excels in the number of protocols that it supports
– new protocol support is added with each update
Supports all major modern operating systems,
– including Windows, Mac OS X, and Linux-based platforms

03/07/2025 Chirag N. Modi 28

 Wireshark – Self Study
As It is covered in Computer Networks

03/07/2025 Chirag N. Modi 29

 Libpcap Library
Libpcap is a packet capture library for linux which can be used
to sniff packets or network traffic over a network interface.
To start with the C program the simple steps would be
1. Find all available devices - find_alldevs()
find_alldevs() is the function which can be used to get a list of all
available network devices or interfaces present on the machine
or which can be opened by pcap_open_live() for sniffing
purpose.
The prototype is as :
int pcap_findalldevs(pcap_if_t **alldevsp, char
*errbuf)
where alldevsp is a pointer to an array of of pcap_if_t structures
and errbuf is a character pointer and will contain any error
message that occured during the function call.
03/07/2025 Chirag N. Modi 30
 Libpcap Library
2. Select a device for sniffing data - pcap_open_live()
pcap_open_live() is the function to get a packet capture descriptor or
a handle to a device which has been opened up for sniffing.
The protoype is as :
pcap_t *pcap_open_live(const char *device, int snaplen,int promisc,
int to_ms, char *errbuf)
device - is the name of the device as obtained from the call to
pcap_findalldevs.
snaplen - is the maximum amount of data to be captured. 65536 should
be sufficient length.
promisc - 0 or 1 to indicate whether to open the device in promiscuous
mode.
to_ms - the timeout in milliseconds , 0 for no timeout
errbuf - buffer to contain any error message
03/07/2025 Chirag N. Modi 31
 Libpcap Library
3. Start sniffing the device - pcap_loop()
4. Process the sniffed packet - user defined callback method

03/07/2025 Chirag N. Modi 32

 Sample Code

03/07/2025 Chirag N. Modi 33

 Sample Code

03/07/2025 Chirag N. Modi 34

 Sample Code

03/07/2025 Chirag N. Modi 35

 Process Packet Function
void process_packet(u_char *args, const struct pcap_pkthdr *header, const u_char
*buffer)
{ int size = header->len;
//Get the IP Header part of this packet , excluding the ethernet header
struct iphdr *iph = (struct iphdr*)(buffer + sizeof(struct ethhdr));
++total;
switch (iph->protocol) //Check the Protocol and do accordingly...
{
case 1: //ICMP Protocol
++icmp;
print_icmp_packet( buffer , size);
break;
case 2: //IGMP Protocol
++igmp;
break;

03/07/2025 Chirag N. Modi 36

 Process Packet Function
case 6: //TCP Protocol
++tcp;
print_tcp_packet(buffer , size);
break;
case 17: //UDP Protocol
++udp;
print_udp_packet(buffer , size);
break;
default: //Some Other Protocol like ARP etc.
++others;
break;
}
printf("TCP : %d UDP : %d ICMP : %d IGMP : %d Others : %d Total : %d\r", tcp ,
udp , icmp , igmp , others , total);
}

03/07/2025 Chirag N. Modi 37

 Compile and Run the Code
$ gcc lsniffer.c -lpcap
$sudo ./a.out

03/07/2025 Chirag N. Modi 38

 Assignment 1-3 (3 Weeks Time)-30 Marks
1. Using libpcap write a C-code to capture the network packet
to/from your computer and calculate that how many
connections are created at your computer (First Week)-10
Marks
2. Per connection, create a profile with following features and
save in a file [10 Marks] – Duration, Protocol (e.g. TCP, UDP,
ICMP), Service (Any), flag (S, R, P, F, error etc), Source bytes,
Dest bytes, land
3. Per connection, create a profile with following features and
save in a file [10 Marks] – Count(number of connections to
the same host as the current connection in the past two
seconds) and srv count (number of connections to the same
service as the current connection in the past two seconds)

03/07/2025 Chirag N. Modi 39

03/07/2025 Chirag N. Modi 40
 Network Traffic Profile Generation: TCP

Intrusion Detection in Virtual Network Layer of Cloud

03/07/2025 41
Computing
 Flowcharts: Network Traffic Profile Generation: UDP

Intrusion Detection in Virtual Network Layer of Cloud

03/07/2025 42
Computing
 Flowcharts: Network Traffic Profile Generation: ICMP

Intrusion Detection in Virtual Network Layer of Cloud

03/07/2025 43
Computing
 Detection of Packet Sniffer
In theory, it is impossible to detect sniffing programs because
– they are passive: they only collect packets, they don't

transmit anything,
In practice it is sometimes possible to detect sniffers.
Basically two methods
– If a network device is in promiscuous mode, the kernel will

receive all network traffic (i.e. CPU load will increase).

– The latency of network responses will also increase, which

can be detected.
– In promiscuous mode,

• some software might send responses to packets even though they were
addressed to another machine.

03/07/2025 Chirag N. Modi 44

 Detection of Packet Sniffer
List of some of the detection methods
– Ping method
– ARP method
– DNS method
– Source route method
– The decoy method
– Latency method
– TDR(Time-Domain Reflectometers)
Tools to detect Sniffers
– PromiScan, AntiSniff, Sentinel, etc.
03/07/2025 Chirag N. Modi 45
 Prevention of Packet Sniffer
The best way to secure you against sniffing is to
use encryption
– it will ensure that what a sniffer reads is pure junk
Some techniques for prevention are:
– PGP and S/MIME
– Secure Shell (SSH)
– VPNs (Virtual Private Networks)
– Secure Sockets Layer (SSL)/Transport Layer
Security(TLS)
– IP Security (IPSec)
– One-time passwords (OTP)

03/07/2025 Chirag N. Modi 46