Group items tagged

Packet sniffer's, are protocol analyzers meant to capture the packets that are seen by a machine's network interface. When a sniffer runs on a system, it grabs all the packets that come into and goes out of the Network Interface Card (NIC) of the machine on which the sniffer is installed. This means that, if the NIC is set to the promiscuous mode, then it will receive all the packets sent to the network if that network is connected by a hub. Unfortunately, in a switched network, since switches do not broadcast the packets, sniffers cannot see any packet that is not having the destination address of the machine on which it is installed. This is unfortunate for testing reasons, but fortunate for security reasons. It is fortunate because, if an attacker installs a sniffer in a trusted network, but if the trusted network uses a hub to broadcast the packets within that network, then the sniffer would be able to look at every single packet that is going across the network. Many network monitoring tools are based on passive packet capture. The principle is the following: the tool passively captures packets flowing on the network and analyzes them in order to compute traffic statistics and reports including network protocols being used, communication problems, network security and bandwidth usage. Many network tools that need to perform packet capture ([tcpdump], [ethereal], [snort]) are based on a popular programming library called libpcap [libpcap] that provides a high level interface to packet capture.