Built-in sniffer. What is a sniffer. Description of the structure of the IP packet

Surely many users of computer systems have heard of the "sniffer", although not everyone fully understands what this concept means. Also today it is possible to single out a rather limited circle of users who know how and where such programs and "hardware" components are used. Let's try to figure out what's what.

What is a sniffer?

First of all, consider the definition of this term. To understand the essence of this issue, you must first translate the word "sniffer". If translated literally, then in English sniffer means "sniffer". In simpler terms, this is a program or equipment that, based on the analysis of traffic in the form of transmitted and received data, extract all the necessary information, for example, encrypted passwords, external network IP addresses, or confidential information. The sniffers themselves can be used as to the detriment, and for the good.

Sniffers: basic types

If we talk about the main types of sniffers, then this may not necessarily be software that is installed on a computer terminal or made in the form of an online applet. Quite often today you can find sniffers made in the form of "iron" equipment or its components that combine physical and software features. The main classification of sniffers includes the following types:

- software;

- hardware;

- software and hardware;

- online components.

Also, with the main classification, a division in the direction of analysis can be distinguished. Most often, for example, there is such a variety as a password sniffer. The main task of this tool is to extract open or encrypted access codes or other information from information packets. There are also sniffers that involve calculating the IP addresses of a specific computer terminal in order to access the user's computer and information stored on it.

How does it work? The technology of intercepting network traffic can only be applied to networks built on the basis of TCP / IP protocols, as well as to the connection realized by means of Ethernet network cards. Wireless networks can also be analyzed. In such a system, initially there is still a wired connection (to the distributing stationary PC or laptop, router). In the network, data transmission is carried out not in a single block, but by dividing it into standard segments and packets, which, when received by the receiving side, are combined into one whole. Sniffers can track the different transmission channels of each segment. At the time of transmission of unprotected packets to connected devices, for example, switches, hubs, routers, computers or mobile devices, the necessary information is retrieved, which may contain passwords. Cracking a password becomes a matter of technique, especially if it is not properly encrypted. Even with modern password encryption technologies, it can be transmitted along with the corresponding key. If this key is public, then it will be very easy to get the password. If the key is encrypted, then an attacker can use some kind of decryption program. Ultimately, this will still lead to a data breach.

Where can a network sniffer be used? Application area

The scope of use of sniffers is quite peculiar. Do not think that some convenient sniffer in Russian is only a tool for hackers who are trying to perform unauthorized interference into network traffic in order to obtain important information. Sniffers can also be used by providers who, based on their data, analyze the traffic of their users, thereby enhancing the security of computer systems. Such equipment and applications are called anti-sniffers, but in fact they are ordinary sniffers that work in the opposite direction. Of course, no one notifies users about such actions by the provider. Besides, it doesn't make much sense. It is unlikely that an ordinary user will be able to independently take any effective measures. For a provider, traffic analysis is often a very important point, as it can prevent outside attempts to interfere with the operation of networks. By analyzing the access to the transmitted packets, it is possible to track unauthorized access to them even based on external IP addresses that are trying to intercept the transmitted segments. This is the most basic example. In general, the technology looks much more complicated.

How to detect the presence of a sniffer?

Let's leave aside such a thing as "sniffer" for now. It is already a little clear what it is. Let's now see what signs you can use to independently determine "wiretapping" by a sniffer. If, in general, everything is in order with the computer system and the Internet connection and the network equipment are working without interruptions, then the first sign of interference from the outside is a decrease in the data transfer speed compared to the one declared by the provider. In operating systems of the Windows family, an ordinary user is unlikely to be able to determine the speed using standard tools, even when the status menu is called up by clicking on the connection icon. Only the number of received and sent packets is indicated here. The decrease in speed may be due to the limitations of the resource itself, which is being accessed. It would be best to use special analyzer utilities. It should be noted that they work on the principle of a sniffer. The only point to pay attention to is that programs of this type, after installation, can cause errors that appear as a result of conflicts with firewalls (third-party programs or the built-in Windows firewall). For this reason, at the time of the analysis, it is advisable to completely disable the protective screens.

Conclusion

We briefly reviewed the main issues that relate to such a concept as "sniffer". Now, in principle, it should be clear what it is from the point of view of a protection or hacking tool. There are just a few words to add about online applets. They can be used for the most part by cybercriminals to obtain the victim's IP address and access confidential information. Such an online sniffer also performs its direct function; the attacker's IP address also changes. These applets are somewhat reminiscent of anonymous proxy servers that hide the user's real IP address. For obvious reasons, data on such Internet resources are not provided, since interference in the work of other people's computer systems with the help of these seemingly officially placed software products is a criminal offense and illegal.

Wireshark is a powerful network analyzer that can be used to analyze traffic passing through your computer's network interface. You may need it to detect and solve network problems, debug your web applications, network programs, or sites. Wireshark allows you to fully view the contents of a packet at all levels, so you can better understand how the network works at the low level.

All packets are captured in real time and provided in an easy-to-read format. The program supports a very powerful filtering system, color highlighting, and other features that will help you find the packages you need. In this tutorial, we'll look at how to use Wireshark to analyze traffic. Recently, the developers moved to work on the second branch of the Wireshark 2.0 program, many changes and improvements were made to it, especially for the interface. This is what we will be using in this article.

Before proceeding to consider the methods of traffic analysis, you need to consider what capabilities the program supports in more detail, with what protocols it can work and what to do. Here are the main features of the program:

Capturing packets in real time from wired or any other type of network interfaces, as well as reading from a file;
The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP and local virtual interfaces;
Packages can be sifted by many parameters using filters;
All known protocols are highlighted in the list in different colors, for example TCP, HTTP, FTP, DNS, ICMP and so on;
Support for capturing VoIP calls traffic;
Supports decryption of HTTPS traffic with a certificate;
Decryption of WEP-, WPA-traffic of wireless networks in the presence of a key and handshake;
Display of network load statistics;
View packet contents for all network layers;
Displays the time of sending and receiving packets.

The program has many other features, but these were the main ones that might interest you.

How to use Wireshark

I assume that you already have the program installed, but if not, then you can install it from the official repositories. To do this, type the command in Ubuntu:

sudo apt install wireshark

After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise it will not be able to analyze network packets. This can be done from the main menu or through the terminal using the command for KDE:

And for Gnome / Unity:

The main window of the program is divided into three parts: the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.

Network traffic analysis

To start the analysis, select a network interface, for example eth0, and click the button Start.

After that, the next window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:

Top part- these are menus and panels with various buttons;
Package List- then the stream of network packets that you will analyze is displayed;
Package content- just below the contents of the selected package is located, it is divided into categories depending on the transport layer;
Real representation- at the very bottom, the contents of the package are displayed in real form, as well as in the form of HEX.

You can click on any package to analyze its contents:

Here we see a request packet to the DNS to get the site's IP address, the domain is sent in the request itself, and in the response packet we receive our question, as well as the answer.

For more convenient viewing, you can open the package in a new window by double-clicking on the entry:

Wireshark Filters

It is very inconvenient to go through the packages manually to find the ones you need, especially with an active stream. Therefore, it is better to use filters for such a task. There is a special line under the menu to enter filters. You can click Expression to open the filter constructor, but there are a lot of them, so we'll cover the most basic ones:

ip.dst- target IP address;
ip.src- the sender's IP address;
ip.addr- IP of the sender or recipient;
ip.proto- protocol;
tcp.dstport- port of destination;
tcp.srcport- port of the sender;
ip.ttl- filter by ttl, determines the network distance;
http.request_uri- the requested website address.

You can use the following operators to specify the relationship between a field and a value in a filter:

== - equals;
!= - not equal;
< - less;
> - more;
<= - less or equal;
>= - more or equal;
matches- regular expression;
contains- contains.

To combine multiple expressions, you can use:

&& - both expressions must be true for the package;
|| - one of the expressions may be true.

Now let's take a closer look at several filters with examples and try to understand all the signs of relationships.

First, let's filter out all packets sent to 194.67.215 .. Type a line in the filter field and click Apply... For convenience, Wireshark filters can be saved using the button Save:

ip.dst == 194.67.215.125

And in order to receive not only sent packets, but also received in response from this node, you can combine two conditions:

ip.dst == 194.67.215.125 || ip.src == 194.67.215.125

We can also select the transferred large files:

http.content_length> 5000

By filtering out the Content-Type, we can select all the images that have been uploaded; Let's analyze the Wireshark traffic, the packets of which contain the word image:

http.content_type contains image

To clear the filter, you can press the button Clear... It happens that you do not always know all the information necessary for filtering, but just want to study the network. You can add any field of the package as a column and see its contents in the general window for each package.

For example, I want to display the ttl (lifetime) of a packet as a column. To do this, open the packet information, find this field in the IP section. Then call the context menu and select the option Apply As Column:

In the same way, you can create a filter based on any desired field. Select it and bring up the context menu, then press Apply as filter or Prepare as filter then choose Selected, to display only the selected values, or Not selected to remove them:

The specified field and its value will be applied or, in the second case, substituted into the filter field:

In this way, you can add a field of any package or a column to the filter. There is also this option in the context menu. You can also use simpler conditions to filter protocols. For example, let's analyze Wireshark traffic for HTTP and DNS protocols:

Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.

Then a window will open in which you will find all the data transferred between the server and the client:

Diagnosing Wireshark Issues

You might be wondering how to use Wireshark 2.0 to detect network problems. To do this, in the lower left corner of the window there is a round button, when you click on it, a window opens. Expet Tools... In it, Wireshark collects all error messages and network problems:

The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems, and here you can see them very quickly. Wireshark filters are also supported here.

Wireshark traffic analysis

You can very easily understand what exactly the users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.

To do this, you first need to stop capturing traffic using the red square on the panel. Then open the menu File -> Export Objects -> HTTP:

Many users do not even realize that by filling in the login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unprotected form. Therefore, if the site on which you are trying to log in uses the HTTP protocol, then it is very easy to capture this traffic, analyze it using Wireshark and then use special filters and programs to find and decrypt the password.

The best place to intercept passwords is in the core of the network, where traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet, when registering with external resources. We set up a mirror and we are ready to feel like a hacker.

Step 1. Install and run Wireshark to capture traffic

Sometimes it is enough to select only the interface through which we plan to capture traffic and click the Start button. In our case, we capture over the wireless network.

Traffic capture has begun.

Step 2. Filtering captured POST traffic

We open a browser and try to log in to any resource using a username and password. Upon completion of the authorization process and opening the site, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. It is at this stage that most IT professionals give up because they don't know what to do next. But we know and we are interested in specific packages that contain POST data that are generated on our local machine when filling out a form on the screen and are sent to a remote server when you click the "Login" or "Authorization" button in the browser.

Introduce a special filter in the window to display captured packets: http.request.method == “POST "

And instead of a thousand packages, we see only one with the data we are looking for.

Step 3. Find the username and password

Quick right-click and select the item from the menu Follow TCP Steam

After that, text will appear in a new window, which in the code restores the content of the page. Let's find the fields "password" and "user", which correspond to the password and username. In some cases, both fields will be easy to read and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as Mail.ru, Facebook, Vkontakte, etc., then the password will be encoded:

HTTP / 1.1 302 Found

Server: Apache / 2.2.15 (CentOS)

X-Powered-By: PHP / 5.3.3

P3P: CP = "NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie: password = ; expires = Thu, 07-Nov-2024 23:52:21 GMT; path = /

Location: loggedin.php

Content-Length: 0

Connection: close

Content-Type: text / html; charset = UTF-8

Thus, in our case:

Username: networkguru

Password:

Step 4. Determining the type of encoding to decrypt the password

We go, for example, to the site http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of coding protocols in order of priority:

Step 5. Decrypting user password

At this stage, we can use the hashcat utility:

~ # hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

At the output, we received a decrypted password: simplepassword

Thus, using Wireshark, we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also find out passwords to user mailboxes using simple filters to display:

The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
IMAP and filter will be: imap.request contains "login"
SMTP protocol and you will need to enter the following filter: smtp.req.command == "AUTH"

and more serious utilities for decrypting the encoding protocol.

Step 6. What if the traffic is encrypted and using HTTPS?

There are several options to answer this question.

Option 1. Connect to disconnect the connection between the user and the server and capture the traffic at the moment the connection is established (SSL Handshake). At the moment of establishing a connection, you can intercept the session key.

Option 2. You can decrypt HTTPS traffic using the session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (FireFox based example) and you should get this log file. Basically, you need to steal the session key file from another user's hard drive (which is illegal). Well, then grab traffic and use the resulting key to decrypt it.

Clarification. We are talking about the web browser of a person who is trying to steal a password. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you're trying to decrypt other users' HTTPS traffic without accessing their computers, it won't work - that's both encryption and privacy.

After receiving the keys for option 1 or 2, you need to register them in WireShark:

Go to the Edit - Preferences - Protocols - SSL menu.
Set the flag "Reassemble SSL records spanning multiple TCP segments".
"RSA keys list" and click Edit.
We enter data in all fields and write the path in the file with the key

WireShark can decrypt packets that are encrypted using the RSA algorithm. If DHE / ECDHE, FS, ECC algorithms are used, the sniffer is not our helper.

Option 3. Get access to the web server used by the user and get the key. But this is even more challenging. In corporate networks, for the purpose of debugging applications or content filtering, this option is implemented on a legal basis, but not for the purpose of intercepting user passwords.

BONUS

VIDEO: Wireshark Packet Sniffing Usernames, Passwords, and Web Pages

To sniff - to sniff) - a network traffic analyzer, program or software and hardware device designed to intercept and then analyze, or only analyze network traffic destined for other nodes.

A sniffer can only analyze what passes through its network card. Within one Ethernet segment, all packets are sent to all machines, which makes it possible to intercept other people's information. The use of switches (switch, switch-hub) and their competent configuration is already protection against eavesdropping. Between segments, information is transmitted through switches. Packet switching is a form of transmission in which data, broken down into individual packets, can be sent from source to destination by different routes. So if someone in another segment sends any packets inside it, then the switch will not send this data to your segment.

Traffic interception can be carried out:

ordinary "listening" to the network interface (the method is effective when used in a segment instead of, otherwise the method is ineffective, since only individual frames get to the sniffer);
connecting a sniffer to the channel gap;
branching (software or hardware) traffic and directing its copy to the sniffer ();
through the analysis of spurious electromagnetic emissions and the restoration of the eavesdropping traffic in this way;
through an attack at () or level (), leading to the redirection of the victim's traffic or all the traffic of the segment to the sniffer with the subsequent return of the traffic to the proper address

In the early 1990s, it was widely used to capture user logins and passwords, which in a number of network protocols are transmitted in unencrypted or weakly encrypted form. Its widespread adoption allowed it to capture traffic effortlessly across large network segments with little or no risk of being detected.

Sniffers(Sniffers) are programs capable of intercepting and subsequently analyzing network traffic. Sniffers are useful when you need to intercept passwords or perform network diagnostics. The program can be installed on one device to which there is access and within a short time receive all transmitted data from the subnet.

How sniffers work

You can intercept traffic through a sniffer in the following ways:

By listening in the normal mode of the network interface, this method has an effect only when hubs are used in a specific field, and not switches.
If you connect a sniffers to the break in the channel, you can intercept the traffic.
An adapter or program changes the traffic path and sends a copy to the sniffer.
Spurious electromagnetic emissions analyze and recover the traffic for listening.
Attack the channel and network layer, which will redirect traffic to the sniffer to receive data, after which the traffic is directed along the previous route.

The traffic intercepted by the sniffer is analyzed to reveal:

Common sniffers analyze traffic very simply using the most automated tools available and can only analyze very small volumes.

Examples of the most famous sniffers:

WinSniffer 1.3 - the best sniffer, has many different configurable modes, is able to catch passwords of various services;
CommViev 5.0 catches and analyzes Internet traffic, as well as the local network. Collects information data associated with the modem and network card, and subjects them to decoding. This makes it possible to see a complete list of connections on the network, IP statistics. The intercepted information is saved in a separate file for further analysis, in addition, a convenient filtering system allows you to ignore unnecessary packets and leaves only those that are needed by the attacker;
ZxSniffer 4.3 is a small sniffer with a volume of 333 kb, it fits on any modern storage medium and can be used by;
SpyNet is a well-known and popular sniffer. The main functionality includes interception of traffic and decoding of data packets;
IRIS- has extensive filtering capabilities. Able to catch packets with specified restrictions.

Sniffers classification

Sniffers are divided according to the method of use into legal and illegal. At the same time, the very concept of sniffers is applied precisely in relation to illegal use, and legal ones are called "Traffic Analyzer".

In order to receive complete information about the state of the network and understand what employees are doing in their workplaces, they use legal sniffers (traffic analyzers). The help of sniffers cannot be overestimated when it is necessary to "listen" to the ports of programs through which they can send confidential information to their masters. For programmers, they help debug and interact programs. Using traffic analyzers, you can timely detect unauthorized access to data or DoS attacks.

Illegal use means spying on network users, an attacker will be able to obtain information about which sites the user uses, sends data, learns about the programs used for communication. The main purpose of "listening" to traffic is to receive logins and passwords transmitted in unencrypted form.

Traffic analyzers differ in the following capabilities:

Support for data link protocols as well as physical interfaces.
The quality of protocol decoding.
User interface.
Provide access to statistics, traffic viewing in real time, etc.

Source of threat

Sniffers can work on:

Router - all traffic passing through the device can be analyzed.
At the endpoint of the network - all data transmitted over the network is available to all network cards, but in standard operation mode, network cards for which data is not intended simply do not notice them. At the same time, if you switch the network card to promiscuous mode, you will be able to receive all data transmitted in the network. And of course sniffers allow you to switch to this mode.

Risk analysis

Any organization can be at risk of sniffing. At the same time, there are several options for how to protect the organization from data leaks. First, you need to use encryption. Secondly, you can use anti-sniffers.

Antisniffer is a software or hardware tool that runs on a network and allows you to find sniffers.

Using only encryption when transferring data, it will not be possible to hide the fact of transfer. Therefore, you can use encryption in conjunction with anti-sniffer.