packets then get passed around by routers and eventually make their way
to the network segment that contains the destination computer.
As each packet travels around that destination segment, the network
card on each computer on the segment examines the address in the
header. If the destination address on the packet is the same as the IP
address of the computer, the network card grabs the packet and passes
it on to its host computer.
That's how I think it works, anyway. I'm sure there are many network
engineers out there who are champing at the bit to explain the many
subtle but important errors I've made, but frankly, that little model
seems to work for me.
Promiscuous Network Cards
Packet sniffers work slightly differently. Instead of just picking up
the packets that are addressed to them, they set their network cards to
what's known as "promiscuous mode" and grab a copy of every packet that
goes past. This lets the packet sniffers see all data traffic on the
network segment to which they're attached - if they're fast enough to
be able to process all that mass of data, that is. This network traffic
often contains very interesting information for an attacker, such as
user identification numbers and passwords, confidential data - anything
that isn't encrypted in some way.
This data is also useful for other purposes - network engineers use
packet sniffers to diagnose network faults, for example, and we in
security use packet sniffers for our intrusion detection software. That
last one is a real case of turning the tables on the attackers: Hackers
use packet sniffers to check for confidential data; we use packet
sniffers to check for hacker activity. That has a certain elegant
simplicity to it.
I've known of packet sniffers for years, and I've talked about the
dangers of attackers using packet sniffers in many a consulting
assignment, but like many consultants, I've never actually used one
One of the reasons for that is simple fear - I'm not that technical at
the best of times, but networking is by far my weakest subject. So I've
avoided trying packet sniffers because I expected to get swamped by all
sorts of networking jargon and problems that would send me running to
our network support guys. I feel embarrassed enough that I can't get my
head around the concept of subnet masks, so I don't want to display my
greater ignorance if I can possibly avoid it.
The thing that worried me most about Sniffit was how easy it was to
install. It took about three commands and three minutes to get this
thing installed and running on my Linux machine.