Sniffer (Sniffer) device that is able to capture the network packets. Sniffer sniffer that is eavesdropping device, it quietly in the bottom of the network, the user's secret record all. Sniffer legitimate use of the network traffic analysis in order to identify the network of interest to potential problems. For example, assume a certain period of operation of the network was not very good, send messages slower, but we do not know what the problem is, then you can use sniffer to make precise problem determination. Sniffer There are many different functions and design, some only analyze a protocol, while others may be able to analyze hundreds of protocols. In general, most of the sniffer to analyze at least the following protocols: standard Ethernet, TCP / IP, IPX, DECNET, FDDI Token, microwave and wireless networks.
Practical application also points sniffer soft, hard two. Merit Software Sniffer is relatively cheap, easy to use, the drawback is often unable to crawl all transmissions (such as debris) on the network, it may not really fully understand the failures and operation of the network. Hardware Sniffer protocol analyzer is commonly referred to, it is precisely the advantages of software sniffer lacking, but the price is expensive. Popular sniffer tools are mostly software.
FTP, POP, and Telnet are essentially insecure, because they use clear text passwords and data transmission, sniffer can easily intercept the passwords and data on the network. Moreover, these security authentication service program also has weaknesses, is vulnerable to "intermediate server" mode of attack. The so-called "intermediate server" attack, is the "intermediate server" posing as the real server receives the user data passed to the server, and then impersonate the user data to the real server. Data transfer between the server and the user is "intermediate server" pass and then tampered with, there will be a very serious problem.
Sniffer capture program with the general keyboard different. Keyboard capture program to capture input keys on the terminal, and the sniffer will capture the true network packets. Sniffer through its exposure to the network interface for this purpose - for example, an Ethernet card is set to promiscuous mode. Data on the network is called a small frame (Frame) transmission units. Frame from several components, different parts perform different functions. For example, the first 12 bytes is stored in the Ethernet source and destination address, source and destination of those who told the network data. Other parts of the Ethernet frame that contains the actual user data, TCP / IP packet header or IPX header and so on. Frame through a specific network software called drivers molding, and then sent to the wire through the network card. It reaches their goal machine through the network cable, the process is reversed at the end of the purpose of the machine. The receiving end of the machine Ethernet card to capture these pictures, and tell the operating system reaches the frame, and then store them. In this process of transmission and reception, each workstation on the LAN has its hardware address. These addresses uniquely represents the machines on the network. This is quite similar and the Internet address system. When a user sends a message, these messages will be sent to all machines available on LAN. In general, all machines on the network can "listen" to flow through, but not his own message then no response. In other words, the workstation A workstation B will not belong to capture data, but simply ignore the data. If a workstation's network interface is in promiscuous mode, it can capture all packets and frames on the network. If a workstation is configured in such a way that it (including its software) is a sniffer. This is also the sniffer will cause problems for security reasons.
Sniffer Linux Environment
Sniffer Linux environment has tcpdump, Nmap, linSniffer, LinuxSniffer, hunt, sniffit like. Here only introduces outstanding under Linux sniffer --tcpdump.
tcpdump installed under Linux is very simple, generally consists of two installation methods. One is in the form of rpm package to install. Another source in the form of installation. Here we are talking about the form of the rpm package installation. This type of installation is the easiest installation method. rpm package after package is a software translated into binary format, directly through the rpm command to install, no need to modify anything.
Log in as root, use the following command:
#rpm -ivh tcpdump-3_4a5.rpm
Thus tcpdump is smoothly installed Linux system.
tcpdump is a multi-purpose communication network monitors, captures and displays the message and its contents. It can be used as a protocol analyzer between systems and network equipment to provide the best way to probe a communications and (or) connectivity issues. Most of the time, the network difficult questions focused on network configuration and diagnostic hardware-related failures. However, users will often face issues related to protocol and forced to delve into specific protocol mechanism to solve the problem. Use tcpdump, packets will be checked to display its information in long form or short form (depending on the command-line option). tcpdump has a very powerful filtering mechanism can be used to find the specified string or rules that match packets.
tcpdump capture provides two main modes: non-hash and hash. In the hash mode, capturing every packet transmitted on the network, regardless of whether the message is sent to the execution tcpdump system. For example, the model is RMON probes in the monitoring of the network used for communication mode. Network probe (probe) listens for traffic on the network protocol and collect information and statistics. Because the local area network (LAN) protocol (such as Ethernet) is based on the broadcast, each frame is transmitted may be connected to any network interface on the LAN acquired. Any device can read each transmitted frame, and to do so as long as the device is configured to select the mode can be read. When a device or interface to read each frame from the network, which means it is in the mode of the hash. In practice, the interface must be configured to scrape together operate as hybrid, and only used for special occasions require network diagnostics. For this reason, only the root hash mode can be enabled on an interface. The main reason tcpdump This is a non root user is not allowed to call. tcpdump tool provides a number of command line options to select the capture mode, the control output, the filtering rules and specify other operating characteristics. These options are grouped according to their function and includes the following categories: operating mode, display options, packet filtering options.
Operating mode option to control how tcpdump to capture and how to display the parameters of the network communications. The meaning of each option are as follows:
- C capture a specified number of packets;
- F filter expression using the file as a source;
- You use the optional network interface to capture packets;
- P prohibit the capture mode in the hash;
- R read capture files instead of network interfaces;
- W to save the original message to a file.
1.pdump arp will capture and display all ARP (ARP) packets. Capture both request and response.
2.pdump host red and tcp will capture and display all transmission control protocol packets from (sent) red host.
3.pdump hos red1 and port 23 is captured and displayed or sent to red1 red1 emitted from all uses port 23 packets. Telnet is used to check on the network from another system to the system message. Port 23 is for all incoming packets is Telnet service port.
Sniffer can help network administrators discover network vulnerabilities and detect network performance. Sniffer is a double-edged sword, it also has a lot of harm.
Sniffer can cause harm include:
1. Sniffer can capture passwords;
2. Enough to capture private or confidential information;
3. To be used to endanger the safety of the network neighborhood, or to obtain a higher level of access;
4. Analysis of network structure, network penetration.
Sniffer attacks are very common, especially on the Internet. Place a good sniffer can capture thousands of passwords. In 1994 a maximum of sniffer attack was discovered. The attack was widely believed to be the worst record in the primary, and many can be FTP, Telnet or remote login host systems are compromised. In this accident (the attacker in Rahul.net), the sniffer run only 18 hours. During this time, there are hundreds of hosts is compromised. Attack included 268 sites, such as MIT, Navy and Air Force, Sun Microsystems, IBM, NASA, CERFNet and Canada, Israel, the Netherlands, Belgium universities machine.
Sniffer can capture all packets on the network, but in fact, an attacker must be selected packets. Sniffer attack is not as easy as it sounds, it requires the attacker to have some knowledge of network knowledge. Simply set up a sniffer and place it wherever else, will not play any role. Because even a network of only five stations within an hour will transport many thousands of packets. Thus in a very short period of time, sniffer capture file is used to store the packets will be flooded entire hard disk (if the record every packet of words).
In order to solve this problem neatly, the attacker only sniff before 200-300 bytes per packet. User name and password are included in this section, which is part of any attacker really care. Of course, if you have enough space for storage, have sufficient capacity to deal with the case, you can sniff all the packets to a given interface, you will find some very terrible things.
Sniffer attack against
There are two kinds of methods may be against sniffer attacks have a role:
1. Detection and elimination sniffer;
2. The data hiding, so sniffer not be found.
Directed to the first method: detection and elimination sniffer tool to detect promiscuous mode network card can be used.
Since the sniffer needs to network intrusion card is set to promiscuous mode to work, it is effective to detect promiscuous mode network card tool Anto-sniff is a good tool. Software can be downloaded http://www.securitysoftwatech.com/antisniff. But sniffer is very difficult to detect because they are passive programs. An experienced hacker can easily by destroying the log files to hide the information, it does not give others leave for verification of the tail.
Here the second method: The data hiding, so sniffer can not find highlights.
There are two general methods of defense:
1. Security topology;
2. Session encryption.
Sniffer can only capture data on the current network segment. This means that the network segment the more detailed work, the sniffer to collect less information. But unless your company is a ISP, or resources are relatively unrestricted, otherwise such a solution requires a lot of costs. Network segmentation requires expensive hardware. There are three network sniffer device is impossible to cross: the switches, routers, bridge.
We can be flexible use of these devices to the network segment. Readers may use 20 stations as a group, this is a reasonable figure. Then, for each month artificially detected (You can also use MD5 month for a random segment detection). Network segmentation is only suitable for small networks. If there is a network of 500 stations, distributed in more than 50 sectors, the full price segment is not allowed. Even if there are security concerns in the unit budget, it is difficult to believe that the need to make the unit heads 50 hardware, but this is only to prevent sniffer attacks. In this case, the session is encrypted is a good choice. Session encryption provides an alternative solution. Do not particularly worry about data being sniffed, but finding ways to make sniffing sniffer do not know the data. The advantage of this approach is obvious: even if the attacker to sniff the data, which is of no use to him. However, its shortcomings are obvious. When the encryption has two main problems: a technical problem, a man-made problem.
Technical issues include whether the encryption is strong enough to level, or just assume that it is more powerful. For example, 40-bit encryption may be insufficient and not all applications are integrated encryption support. Moreover, cross-platform encryption scheme is still relatively rare, usually found only in some special applications. In addition, some users may resist the use of encryption, they feel it is too much trouble. Users may agree at the start of the use of encryption, but they seldom insistence. In short we must find a friendly media, it also has some user friendly. The Secure Shell (SSH) to having the above characteristics. By using SSH, you can encrypt all data transmitted, such a "middle server" This attack can not be achieved, and it is possible to prevent the DNS and IP spoofing. There is an additional benefit is that data transmission is compressed, it can accelerate the speed of transmission. SSH has many functions, it can replace Telnet, but also for FTP, POP, and even PPP to provide a secure "channel." SSH bound to port 22, which is connected using negotiation using RSA encryption. After authentication is complete, all traffic behind the use IDEA encryption. SSH (Secure Shell) program can log on over the network to a remote host and execute commands. SSH encrypted tunnel to protect the security of only intermediate transmission, so that any normal sniffer software can not get content sent. It provides strong security authentication can communicate securely over an insecure network. So it is a way to prevent sniffer.
Easy to use SSH
1. Download the package, download address www.ssh.com, download the latest package SSH2. The best download source packages themselves to compile.
2. Extract and install:
# Tar -zxvf ssh2-2.4.0.tar.gz
# Cd ssh2-2.4.0
The installation is complete. This process is actually the server and client software packages installed together, without having to install client software package again.
It has been compiled binary package to rpm format stored in ftp://ftp.ssh.com/pub/ssh/rpm directory. It is a software package for non-commercial users, the package name is: ssh-2.4.0-1.i386.rpm, which includes support for the X-Window. The other does not support the X-Window packages for ssh-2.4.0-1nox.i386.rpm, can be installed directly after downloading. SSH2 package installer will install in / usr / local / bin and / usr / local / sbin.
SSH configuration files in / etc / ssh2, including sshd2 host public and private keys: hostkey and hostkey.pub. These two files are usually generated automatically when you install SSH. You can use the following command to re-generate them:
# Rm / etc / ssh2 / hostkey *
# Ssh-keygen2? P / etc / ssh2 / hostkey
The ssh2_config file without modifying the general case.
In Uinux / Linux environment, the server program placed in / usr / local / sbin directory, start as follows:
# Ps x
You can see that SSHD already started. If you do not want to restart the system each time, to be run manually start the SSHD, you can write your own script, placed in the init.d directory, so that the system starts, automatically start the implementation of SSHD service work. Or add / usr / local / sbin / sshd directly in the rc.local.
Client Uinux / Linux system is SSH, stored in / usr / local / bin directory, there SSH2, scp and other client tools. Log onto the remote host using SSH as follows:
Its use as Telnet, as the difference between requiring the user to enter authentication string. If the authentication string passed the certification, the user to log successful; if unsuccessful, it is to require the user to enter the system password. After the password authentication is successful, the user can successfully log into the system. From the use of point of view, it is no different from, and Telnet. And have SSH client software, then you do not have to upload files to the same as before to open an FTP window, again certified, and then upload the file. Use scp SSH client that comes with tools, you can directly upload files to a remote server. Use as follows:
host1: dir / filename host2: / home / abc / filename
Sniffer technology is widely used in network maintenance and management. When it works like a passive sonar, quietly receive various information from the network. Through the analysis of these data, the network administrators can understand the current health of the network, in order to identify network vulnerabilities. Here we do not want to deny sniffer good effect. Network security is increasingly noticed today, we should not only correct use of sniffer Sniffer also reasonable to prevent harm. Sniffer can cause significant safety hazard, mainly because they are not easily found. You can learn to use sniffer, hackers learn how to use a sniffer attack methods to resist sniffer attacks. We must see that the best defense against sniffers is safe topology and session encryption.