Sniffing network traffic
- [Instructor] Sniffing the network or packet analysis is a valuable skill for the ethical hacker, and should be part of every network administrator's skill set. Instead of scanning an individual system, we now look at traffic that is flowing across the network. Devices, such as intrusion detection intrusion prevention systems monitor the network for threats and allowable protocols. However, network administrators should spend a few minutes everyday and monitor the traffic. This will give us a great deal of information on the status of the network. Sniffing traffic can gather network statistics, monitor protocol use. For example, are there any protocols that should not be on your network, such as BitTorrent or unauthorized instant messaging, and detect network misuse. Packet analysis can run in real time, or you can capture traffic for later analysis such as baselining traffic at various points in the network. Although there are many packet analysis tools available, the tool I prefer is Wireshark, an open-source tool with a rich graphical user interface, and many builtin features. For this demonstration, I'll use the latest version of Wireshark. Head out to wireshark.org and then scroll down and select the appropriate version for your system. Go to download. And here we can see all the choices. As you can see, you can install Wireshark on a variety of platforms. When you install Wireshark for the first time on a Windows machine, you'll be prompted to install a capture engine that allows you to capture traffic as it passes through your network interface card. If you're using a recent version of Windows, you'll most likely be prompted to install Npcap. Wireshark documentation suggests using Npcap if you're using Windows 10. Now, Npcap comes from the Nmap project and is a packet sniffing library for Windows that has improved features for enhanced ability to capture traffic. Npcap provides enhanced security in that Npcap can be set to restrict access to administrators only. Npcap also has the ability to capture raw, 802.11 packets, and this is easily achieved by selecting the various options during the installation of Npcap. The phases of packet analysis are gather, decode, display, and analyze. Now after you choose an interface to list it on, and place it in promiscuous mode, the interface scoops up network traffic. Keep in mind that traffic enters the network interface card in binary form, one frame at a time. Packet analysis software converts the bits into readable form for analysis. Now we'll take a look at the heart of this. And this is where the decoding takes place. Wireshark was ethereal before 2006, but the main core is still the same. In this illustration we see the ethereal packet analyzer or epan. This is the packet analyzing engine for Wireshark. In display in Wireshark, and many other packet analysis tools, there are many options to enhance your graphical experience. For analysis, we can do analysis in real time, or use a pre-captured file. When we look at it, we're asking ourselves, is this normal traffic? Do we see any unusual TCP flags or excessive duplicate acknowledgements? Examine for malware signatures, or traffic in clear text, or router advertisements. In general, we have a lot to cover, but we can see how sniffing and analyzing traffic on a network will reveal a great deal of information for the ethical hacker.
Note: The topics in this course will prepare you for key objectives on the Certified Ethical Hacker exam. Find an overview of the certification and the exam handbook at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Sniffing network traffic
- Passive vs. active attacks
- Comparing IPv4 to IPv6
- MAC and macof attacks
- Investigating DHCP attacks
- Detecting ARP and DNS spoofing
- Sniffing tools and techniques