Sniffing is monitoring and capturing packets such as packets belonging to email and HTTP traffic, network management traffic, chat sessions, etc. A sniffer tool normally turns the NIC of the system to promiscuous mode so that it listens to all the data transmitted on its segment, even when it is not addressed to that NIC.

Sniffing can be done either active or passive.

  • In passive sniffing, the traffic is listened to but it is not modified in any way. Hub devices send all traffic to all the ports. In a network using hubs to connect systems, all hosts on the network can see the traffic, and an adversary could easily capture all traffic going through. Hubs are now obsolete. Modern networks are switched.
  • In active sniffing, traffic can also be modified, dependent on the attack, which involves injecting packets into a target network to flood the switch content addressable memory (CAM) table (keeps track of which host is connected to which port).

The most common attacks that use sniffing are: