|
|
|
Tips and tricks: Network sniffing
When you connect to the internet, or any other network, what goes on behind the scenes is obscure — and it is meant to be. But if you want to dig deep and infiltrate the network world, you will see many interesting details, like chat conversations, browser requests, and email passwords which often travel un-encrypted.
This is done through protocol analysers — tools that show you real traffic with detailed filters applied so that you hit the target easily. With some basic networking knowledge, making use of protocol analysers is fairly easy. And even without that, some freely available analysers do a pretty decent job unmasking the protocol communication between your PC and the rest of the world.
This not only shows you what you cannot see otherwise, but at the same time increases you understanding of how protocols work and how different applications like mail clients and chat programs communicate with their servers. It also shows what commands they exchange and how low-level ICMP scanner requests haunt your PC as some remote PC tries to break in.
Before installing packet sniffers, get the latest version of WinPcap — one of the most widely used packet capture library under Windows. Many analysers require this to be installed first as they make use of its drivers.
Let’s get straight to the first protocol analyser: Smart Sniff, a 52KB free tool. Start Smart Sniff, go to File > Start Capture.
Capture Options window is displayed where you will select Raw Sockets. Then select an adapter in the frame below. In case you are connected to the internet, select the adapter which shows your current IP (second adapter in case of Smart Sniff) since different analysers display different descriptive names for the same adapters. You will see your network card identified as Ethernet but make sure that you do not select it unless you are on LAN. For the internet, you should be selecting your modem’s name if IP is not displayed.
Once the adapter is selected, watch the packets appear one after another in the main interface as you continue to cruise through the internet in parallel windows. If you have a firewall installed, you will get an alert saying sniffer application is requesting a connection to the internet. Check the settings and allow this.
As the list of packets increases, go to Options > Display Mode and select ASCII or Hex Dump to see what the packets are carrying. You can also limit the protocols and select a combination from TCP, UDP and ICMP from Options > Display > Protocols. Rule-based filtering is available through Options > Display Filter but is not very user friendly, since one has to manually enter include/exclude statements mentioning traffic direction, protocol and port. Nonetheless, the option can be useful to tap a particular segment of traffic, say, excluding all traffic but MSN Messenger’s.
D-clicking a packet opens its information box. It basically divides the contents and shows protocol, local and remote address and ports (which helps you identify which application is connected to which remote machine), host names, service names and packet size, along with capture time.
Options > Advanced Options brings up some UI tweaks, like how Hex Dump is to be displayed, size limitations when showing packets, and protocol colouring. File > Export lets you export data in TXT, HTML or raw DAT file. You can also save and load packet data using File > Save/Load Packet Data menu. View > HTML Report gives a tabled view of captured packet with properties at the top and contents below.
Some other sniffers like UltraNetSniffer (not free) provides application monitoring so that you know what a particular EXE file is doing over the network, session information, packet content search facility in HEX or ASCII and drills down the traffic into many specific protocols apart from the basic ICMP, TCP, UDP. It also provides a range of filtering options and above all, categorizes packet into header, body and compartment-wise details so that you do not have to remember positions.
There are analysers, which do not only analyse your PC but the whole LAN, like Ethereal which is one of the favourites among network administrators, and specialized IM sneakers whose task is to capture chat conversations across network. Another category is URL snoopers which unmasks the hidden URLs behind browser requests.
SnifMon, Awpta, TCPViewer, Sniphere (for Ethernet) are among the many sniffers available over the internet for free and otherwise. A word of caution — be ready for some PC hang-ups or restarts in case an analyser attempts some unruly instruction!
Writer’s e-mail: nizar.ali@ gmail.com
|
|
|
|
