
home \| contact

Eavesdropping

Network based eavesdropping is very much like its real world namesake. One simply "overhears" conversations taking place on a network. The nature of packet switched networks is the sharing of a communication medium with many different peers. While dedicated circuit networks also exist, and in fact they are susceptible to eavesdropping, packet switched networks are exceptionally susceptible. Eavesdropping on a network conversation, involves copying packets as they are sent on the shared medium. These captured packets can be decoded with methods identical to the decoding done on the intended recipient. As such, the entire communication can be replayed for the eavesdropper. If this is a file transfer, the file will also be available to the eavesdropper. If this is an e-mail, all of the text and attachments are now in the possession of the eavesdropper. A similar technique exists for tapping telephone lines to listen in on voice conversations or even sitting at the table next to two network administrators at a restaurant as they chat about network architecture. All of these techniques are eavesdropping and all of them gather valuable information for attackers.

Case Study: sniffing

Sniffing is the usual term for network based eavesdropping. It is especially effective on shared medium networks such as Ethernet. Sniffing usually involves placing an Ethernet network interface into "promiscuous mode." "Promiscuous" network cards will process all packets seen on the Ethernet as opposed to only those packets destined for the card's media access control (MAC) address. Since Ethernet uses carrier sense multiple access/collision detection (CSMA/CD) to transmit packets, all nodes on a collision domain uses the same physical medium to communicate using collision detection to avoid corrupting other packets. A card in "promiscuous mode" will gather all of these packets available in that particular collision domain. The more nodes in a particular collision domain, the more traffic the sniffer can gather. If the network is on a switched network environment, each switch port is its own collision domain, while an entire chain of hubs in a non-switched network is a single collision domain.

Obviously, proximity is an important factor when sniffing, however traffic may be sniffed at any physical connection between the sender and receiver. For example, sniffing a client communicating with a server over the Internet may be conducted at cable modem segment leaving the client's neighborhood, networks at the ISPs connecting the cable provider to the server's ISP, the T1 line entering the server's building, and finally the local area network at the server's location.

The amount of information gleaned from a sniffing session depends on two factors. The first is how much data was gathered. The eavesdropper will have the entire communication if she captures the entire packets of the session. This has the drawback of storage for all of the packets. A stealthily installed sniffer on a system along the path of the communication is no longer stealthy if the capture session grows to many megabytes exhausting the disk space of the server. The second factor is the eavesdroppers ability to decode the communicated packets. Well-documented, well-known services have publicly available decoders widely available. On the other hand, encrypted sessions are useless to an eavesdropper unless she can brute force or steal the keys used to encrypt the session.

Tool: tcpdump

Tcpdump is a widely available tool used for basic packet capture and decoding on networks. Snoop is a similar tool often found on Sun Solaris systems. Tcpdump is a command-line, text based sniffer. It uses the libpcap library for its actual packet capture. Basic filters may be set up on the command line to limit packet capture and specify display and interface options. Output is to screen or file with basic decoding to give human readable time stamps, network addressing, and transport level information. Despite its namesake, tcpdump is quite capable of capturing and decoding all types of traffic from ICMP to UDP to, obviously, TCP.

Tool: ethereal

Ethereal is an open-source graphical sniffer with extensive decoding capabilities. Packets are shown both in a list format similar to tcpdump as well as a more detailed tree view of each packet and raw packet hexdump. Ethereal supports a wide array of packet capture forms including those of tcpdump, commercial sniffers such as Network Associate's SnifferPro, and its own native interface to libpcap.

Home	Services	Partners	About Us	Contact Us
Š2001-2003 by Itillious, Inc. All Rights Reserved. Privacy Policy