Packet Sniffing
Most computer networks consist of many personal computers or workstations
connected via a shared local area network (LAN and WLAN) segments.
Sharing, of course, means that computers
can receive information that was intended for other machines.
To capture the information traversing the network is termed sniffing.
The most popular form of local LAN topology,
Ethernet, works by transmitting addressed packets via a shared cable.
The Ethernet network interface card (NIC) in the intended destination
computer sees all packets,
but on seeing one with the NIC's unique 48-bit address,
the NIC will copy the entire packet to the operating system software for
analysis and eventual delivery to application programs.
There are two main problems with Ethernet's approach:
- most Ethernet NICs can be placed in promiscuous mode,
which results in all observed packets being sent to the operating system,
root> ifconfig eth0 promisc
root> ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:90:27:62:58:84
inet addr:130.95.1.8 Bcast:130.95.1.255 Mask:255.255.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
.....
|
Many rootkits will replace the ifconfig program
(an abbreviation for interface configuration)
to avoid the simple detection of interfaces in promiscuous mode.
- and, most Ethernet NICs permit their NIC address to be modified,
programatically,
and so one Ethernet NIC could (accidentally or deliberately) be given the
MAC address of another.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p3, 15th May 2024.
|
CITS3002