Sniffing is monitoring and capturing packets such as packets belonging to email and HTTP traffic, network management traffic, chat sessions, etc. A sniffer tool normally turns the NIC of the system to promiscuous mode so that it listens to all the data transmitted on its segment, even when it is not addressed to that NIC.

Sniffing can be done either active or passive.

  • In passive sniffing, the traffic is listened to but it is not modified in any way. Hub devices send all traffic to all the ports. In a network using hubs to connect systems, all hosts on the network can see the traffic, and an adversary could easily capture all traffic going through. Hubs are now obsolete. Modern networks are switched.
  • In active sniffing, traffic can also be modified, which involves injecting packets into a target network, for example to flood the switch Content Addressable Memory (CAM) table (keeps track of which host is connected to which port). Active sniffing is an important ingredient in many attacks, including DNS poisoning, ARP poisoning, DNS spoofing, and Applicative session hijacking.

  • Last modified: 2019/11/03 09:41