Just moozing

Before you can check your notes, you must make them…

Packet sniffing

leave a comment »

We are currently devising the questions for the oral exam for this semester. One of them is about packet sniffing. I find it appropriate that I at least try to formulate an answer that I like myself.

Packet sniffing of network traffic

  • Explain what packet sniffing is and what is can be used for
  • Explain the difference in sniffing on hubbed, switched and wireless networks
  • Explain the information that is shown in Wireshark and give example of how filtering works

Personally, I find packet sniffing to be a really useful tool to understand what is happening “on the wire” and the data different application send and receive. It is very useful for checking who sends what, when developing a client/server application.

Basically sniffing is about collecting frames from the wire or the air. These frames contain data and, depending on why one is collecting frames, frames must be set in an ordered context or glued together following a TCP stream. The first is relevant to show how ARP request are performed before sending data through a gateway. The second is relevant for checking actual data send and received in HTTP connections.

OSI model (from wikipedia.org)

The generic 7 layer OSI model

In order to describe the difference in sniffing on hubbed and switched networks, we must first introduce the OSI model, especially the physical and the datalink layer (i.e. layers 1 and 2). Briefly described,the OSI model is a generic model that may be used to describe any networked system.

The top layers are about networked applications. Transport layer is about muletiplexing and demultiplexing data to and from the host. The network handles logical addressing (this is needed to connect different subnets). The lowest two layers are about electrical (or other) signals and the hardware address of a device.

On an IEEE 802.3 (ethernet) based network a hub is a multiport device that regenerates the signal and repeats is on all ports. It has no processing capability or other logic to determine where to send the received frames. A switch is, as hubs, a device to connect multiple computers. It has an internal table of MAC addresses that it uses to determine on which port a received frame should be send to. Switches only send frames to one recipient.

From a sniffing point of view, hubs are better. It is very easy to connect a cable to a hub, and the hub will send you every single frame it receives. Switches only send the frames destined for you. They have a self-learning algorithm, but that is beyond the topic at hand.

Hubs are hard to get these days, since switches are very cheap, more secure and makes better use of bandwidth. Switches is the new technology, and only people (like me) that are interested in sniffing frames likes hubs.

Wireless network are different. Unencrypted networks are sniffable as per hubs, and when you have the password, encrypted wireless network are the same. I usually compare wireless network with shouting in a room. You just don’t handle secrets like that. Encryption helps.

When sniffing wireless traffic on an encrypted network, you have two options. You may collect a lot of encrypted packages for later processing, or if you have the passphrase, listen in on the traffic between the AP and the different WiFi devices. Programs like Wireshark supports saving data in pcap-files. They are standardized and there are many libraries and programs that uses pcap-files (like the ones that find wireless password from encrypted frames).

Some images and code snippets are made available at the examination. For this specific question, this Wireshark screen dump is available.

The first, most obvious detail, is the pattern in the packets. It is sets of “echo request” and “echo replies” as seen in packets 6/7, 10/11 and 16/17. This correspond to a ping command and that the host is google.com is seen in the DNS packets 4 and 5. The fact that there are DNS lookups after each reply indicates that this is a Linux PC. Windows 7 do not resend DNS queries to check for server aliases.

The above comments relates to the application layer. Moving to transport layer we know that DNS queries uses UDP on port 53, but that is not visible since the selected packet is an ICMP packet. ICMP (Internet control message protocol) is part of the IP suite and does not, in contrast to TCP and UDP, handle transport between applications. This places the ICMP on the network layer.

Moving to the network layer, we see that the host has an IP address of and that the DNS server has the address This is seen in packets 4 and 5, where the source IP is the IP of the host issuing the ping command (presumably the same host as the sniffing host). As seen in the first DNS reply (packet 5) google.com has multiple IP addresses, and the ping command have chosen to use the first address.

The selected packet (packet 6) shows information related to the data link layer. As all packets have source and destination hardware address, we may deduct the MAC addresses of the host and the gateway. The destination MAC address (00:1b:fc:45:2b:e7) is the MAC address of the gateway, not the MAC address of google.com. Wireshark also informs us that the gateway has an Asus network interface. The source MAC address is the one associated with

On a side note, the system must have accessed the gateway earlier, since no ARP requests are seen. This is necessary to get the MAC address of a local machine, when only the IP address is known. Hosts often ask for the MAC address of the default gateway.

One last thing to note is that STP packets have been filtered out. Since 26 of 32 packets are shown, we may conclude that 6 STP packets are not shown. Wireshark may filter on almost any data it shows. Simple uses is to filter on “DNS”, “HTTP”, “ARP” or other protocols, to get a quick overview.

Other possibilities is to filter on IP addresses using “ip.src ==” to get all data send from Filtering on IP addresses is relevant when sniffing on hubbed networks, WiFi (in promiscuous mode) or when the broadcast traffic clouds the interesting information.

We have an utter lack of references in the above text…


Written by moozing

June 14, 2010 at 09:00

Posted in Tech

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: