it care where the data ends up. While hubs have been inexpensive for a long time due to
their relative lack of “intelligence”, which requires more circuitry and programming, they
are often slower and can produce overload conditions when three or more hubs are
connected together because all data is passed to the entire network. Although this can
cause bottlenecks and network saturation, a hubbed network is the best type of network in
which to place a sniffer. Since hubs do not restrict data in any way, a sniffer will have
access to ALL the data flowing across the wires and through the hub.
A switch, on the other hand, is an
active
device. It records the MAC addresses of
each network card to which it is connected and creates an internal table of MAC to IP
address rules to help control traffic flow. In other words, a switch will examine each
packet header for a matching IP address. Once a match is found, the switch will pass the
data to the port with the corresponding MAC address. Note, it will pass data only to the
port which matches the IP/MAC table, which means any sniffer connected to another port
on the sniffer will NOT have access to that data; at least, not without some network
manipulation.
In the case of a wireless network, you could be dealing with several networking
environments. This is because the wireless part of the network is similar to a hub due to
the fact that data is sent out over the airwaves and there is no method to control who or
what has access to it.
2.3 ARP Spoofing
As we have previously discussed, the existence of a switch in a network is a serious
obstacle to a sniffer. Due to a MAC/IP table, traffic from one NIC will only be passed to
the NIC to which it is addressed. However, it is possible to manipulate the network to
successfully gain access to traffic passing on other ports. This is accomplished using a
method known as ARP spoofing.
The Address Resolution Protocol (ARP) is used by network devices to establish a
relationship between MAC addresses and IP addresses. This is to reduce the complexity
of maintaining a network by providing an easier method of addressing that can be
automated and more easily used. To speed up the process of this conversion, many
network devices create an ARP table that temporarily stores recently received IP
addresses and their corresponding MAC addresses. If an ARP entry is made between two
devices, any further data transmissions do not need to perform another ARP request to
determine the MAC address of the target device.
While the use of an ARP table speeds up the data transmission process, it also creates
a huge hole that can be exploited by a sniffer. In short, an ARP table can be manipulated
by sending spoofed ARP
Replys
to communicating network devices. In this network
trick, the hacker will basically places his or her computer in the middle of an existing
data path by creating false ARP entries in both the target’s computer and the gateway
device (or what ever computer with which the target is communicating). Once the hacker
establishes himself in the middle, he can easily capture, record, or even change the data
passing between two network devices.
