Network Sniffing
Network Security (Packet Sniffing)
Outline
Packet sniffing Sniffing in Hub Sniffing in Switch
ARP (Address Resolution Protocol) ARP Spoofing
Conclusion
Packet Sniffing Overview
Process of monitoring a network to gather information that may be useful Use by both “good guys” and “bad guys”
Sniffing in Hub
A sends a packet to D All stations will receive the packet including the Sniffer station
A B
Sniffer
Hub
C
D
Sniffing in Switch
A sends a packet to D Switch looks up its table and only sends the packet to D Sniffer station will not receive the packet Can switch be used to prevent sniffing?
A B
Sniffer
Switch
C
D
Address Resolution Protocol (ARP)
MAC address needed for data communication ARP helps to provide a dynamic mapping of a 32bit IP address to a 48-bit MAC address The source station checks its ARP cache and if the MAC address of the destination station is not there it sends out an ARP broadcast message to find the destination station The destination station will respond to the ARP request with its MAC address
ARP (cont’d)
I need the MAC address of 192.168.1.4
Broadcast
Switch
IP: 192.168.1.4 MAC: 00:11:00:02:33:d0
B A C D 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
Host Broadcasts for another Host MAC address
ARP Spoofing
ARP Poisoning Introducing a fake IP - MAC address mapping in another host’s ARP cache
e.g. ARP Unsolicited Responses
ARP Unsolicited Responses
I have 192.168.1.4 My MAC is 00:11:00:02:33:aa Attacker ARP Replies IP: 192.168.1.103
Switch
A 192.168.1.1
B
C
D 192.168.1.4 00:11:00:02:33:d0
192.168.1.4 00:11:00:02:33:aa
Sniffing in switch using APR Spoofing
3) Send the spoofed ARP packet from Attacker with an arpredirect 1) Turn on IP forwarding to forward traffic 2) Run packet analyzer Attacker IP: 192.168.1.103
4) Now all traffic from A
Outline
Packet sniffing Sniffing in Hub Sniffing in Switch
ARP (Address Resolution Protocol) ARP Spoofing
Conclusion
Packet Sniffing Overview
Process of monitoring a network to gather information that may be useful Use by both “good guys” and “bad guys”
Sniffing in Hub
A sends a packet to D All stations will receive the packet including the Sniffer station
A B
Sniffer
Hub
C
D
Sniffing in Switch
A sends a packet to D Switch looks up its table and only sends the packet to D Sniffer station will not receive the packet Can switch be used to prevent sniffing?
A B
Sniffer
Switch
C
D
Address Resolution Protocol (ARP)
MAC address needed for data communication ARP helps to provide a dynamic mapping of a 32bit IP address to a 48-bit MAC address The source station checks its ARP cache and if the MAC address of the destination station is not there it sends out an ARP broadcast message to find the destination station The destination station will respond to the ARP request with its MAC address
ARP (cont’d)
I need the MAC address of 192.168.1.4
Broadcast
Switch
IP: 192.168.1.4 MAC: 00:11:00:02:33:d0
B A C D 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
Host Broadcasts for another Host MAC address
ARP Spoofing
ARP Poisoning Introducing a fake IP - MAC address mapping in another host’s ARP cache
e.g. ARP Unsolicited Responses
ARP Unsolicited Responses
I have 192.168.1.4 My MAC is 00:11:00:02:33:aa Attacker ARP Replies IP: 192.168.1.103
Switch
A 192.168.1.1
B
C
D 192.168.1.4 00:11:00:02:33:d0
192.168.1.4 00:11:00:02:33:aa
Sniffing in switch using APR Spoofing
3) Send the spoofed ARP packet from Attacker with an arpredirect 1) Turn on IP forwarding to forward traffic 2) Run packet analyzer Attacker IP: 192.168.1.103
4) Now all traffic from A