HowTo – Use Packet Sniffers

Packet Capture
In this article, we shall cover the basic working of a sniffer, to capture packets for analyzing the traffic. If an analyst does not have working skills of a packet sniffer to a certain level, it is really hard to defend intrusions. This article would help the analyst to prepare to the level of what is required for basic packet collection and basic analysis, but not everything about sniffers. An in depth article on sniffer’s using packet crafting and packet capture will be coming soon. In this document we are using Wireshark Version 0.99.5 (SVN Rev 20677).

What you will learn…

  • Introduction to Sniffer
  • Capturing Traffic
  • Wireshark basics: The different panes

Packet sniffer’s, are protocol analyzers meant to capture the packets that are seen by a machine’s network interface. When a sniffer runs on a system, it grabs all the packets that come into and goes out of the Network Interface Card (NIC) of the machine on which the sniffer is installed. This means that, if the NIC is set to the promiscuous mode, then it will receive all the packets sent to the network if that network is connected by a hub. Unfortunately, in a switched network, since switches do not broadcast the packets, sniffers cannot see any packet that is not having the destination address of the machine on which it is installed. This is unfortunate for testing reasons, but fortunate for security reasons. It is fortunate because, if an attacker installs a sniffer in a trusted network, but if the trusted network uses a hub to broadcast the packets within that network, then the sniffer would be able to look at every single packet that is going across the network. Now that we have seen the logic of a packet sniffer, let us now look into the details and working of the sniffer. One of the most common packet-sniffer is Ethereal, which is now known as Wireshark, but the old functionalities are still maintained and new features are added once in a while.

The above image (Figure 1) shows the opening page of Wireshark (formerly Ethereal). Depending on how you would like to capture the packet, there are several ways to perform tasks to attain solutions. To start with, we can choose the “Capture” menu and see what is in there. As the name implies, “Capture” menu is provided for the users to perform Packet Capture, and it also provides several options for suiting the situations and the conditions that the analysts have in the mind while performing the process of capturing the packets. Analysts could even set filters to avoid capturing unwanted traffic. This article would cover effective Packet Capture for signature generation, by setting the values that are required for optimizing the outcome.

Download file here

Share or Bookmark this post:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • StumbleUpon
  • Technorati
  • Twitter
  • Yahoo! Bookmarks
  • Yahoo! Buzz
«
»

Leave a Reply