Sniffers as Security Risks

Sniffers differ greatly from keystroke-capture programs. Here's how: Key-capture programs save, or capture, keystrokes entered at a terminal. Sniffers, on the other hand, capture actual network packets. Sniffers do this by placing the network interface—an Ethernet adapter, for example—into promiscuous mode. Sniffers also differ in one key aspect from other attack methods—sniffers are passive, only listening to the network traffic.

A sniffer always functions in a promiscuous mode. Normally, a system's network card will only grab packets destined for that system. In promiscuous mode, however, instead of ignoring all other packets, the system captures every packet that it sees on the network. To further understand how promiscuous mode works, you must first understand how local area networks are designed.

Local Area Networks and Data Traffic

Local area networks (LANs) are small networks connected (generally) via Ethernet. Data is transmitted from one machine to another via cable. There are different types of cable, which transmit data at different speeds. The five most common types of network cable follow:

· 10BASE-2. (10Mbps) Coaxial Ethernet (thinwire) that, by default, transports data distances of up to 600 feet.

· 10BASE-5. (10Mbps) Coaxial Ethernet (thickwire) that, by default, transports data distances of up to 1,500 feet.

· 10BASE-F. (10Mbps) Fiber optic Ethernet.

· 10BASE-T. (10Mbps) Twisted pair Ethernet that, by default, transports data distances of up to 300 feet.

· 100BASE-T. (100Mbps) Fast Ethernet that, by default, transports data distances of up to 300 feet.

Data travels along the cable in small units called frames. These frames are constructed in sections, and each section carries specialized information. (For example, the first 12 bytes of an Ethernet frame carry both the destination and source address. These values tell the network where the data came from and where it's going. Other portions of an Ethernet frame carry actual user data, TCP/IP headers, IPX headers, and so forth.)

Frames are packaged for transport by special software called a network driver. The frames are then passed from your machine to cable via your Ethernet card. From there, they travel to their destination. At that point, the process is executed in reverse: The recipient machine's Ethernet card picks up the frames, tells the operating system that frames have arrived, and passes those frames on for processing.

Sniffers pose a security risk because of the way frames are transported and delivered. Let's briefly look at that process.

Packet Transport and Delivery

Each workstation in a LAN has its own hardware address or Media Access Control (MAC) address. This address uniquely identifies that machine from all others on the network. (This is similar to the Internet address system.) When you send a message across the LAN, your packets are sent to all connected machines.

Under normal circumstances, all machines on the network can "hear" that traffic going by, but will only respond to data addressed specifically to them. (In other words, Workstation A will not capture data intended for Workstation B. Instead, Workstation A will simply ignore that data.)

If a workstation's network interface is in promiscuous mode, however, it can capture all packets and frames on the network. A workstation configured in this way (and the software on it) is a sniffer.