Sniffers Sniffers are programs that can intercept and subsequently analyze network traffic. Sniffers are useful in cases where you need to intercept passwords or conduct network diagnostics. The program can be installed on one device to which you have access and within a short time receive all transmitted data from the subnet.
How sniffers work
You can intercept traffic through a sniffer in the following ways:
- By listening in the normal mode of the network interface, this method is effective only when hubs and not switches are used in a certain field.
- If you connect a sniffer to the place where the channel breaks, you can intercept the traffic.
- The adapter or program changes the path of the traffic and sends a copy to the sniffer.
- Side effects electromagnetic radiation analyze and restore listening traffic.
- The link and network layer are attacked, which redirects traffic to the sniffer to obtain data, after which the traffic is redirected along the previous route.
Traffic intercepted by the sniffer is analyzed, which allows us to identify:
Conventional sniffers analyze traffic very simply, using the most available automated tools and are able to analyze only very small volumes.
Examples of the most famous sniffers:
- WinSniffer 1.3 is the best sniffer, has many different customizable modes, and is capable of catching passwords for various services;
- CommViev 5.0 catches and analyzes Internet traffic, as well as local network. Collects information data associated with the modem and network card and decodes it. This makes it possible to see full list network connections, IP statistics. The intercepted information is stored in separate file, for subsequent analysis, in addition, convenient system filtering allows you to ignore unnecessary packets and leaves only those that the attacker needs;
- ZxSniffer 4.3 is a small-sized sniffer with a volume of 333 kb, it fits on any modern storage medium and can be used by;
- SpyNet is a fairly well-known and popular sniffer. The main functionality includes intercepting traffic and decoding data packets;
- IRIS has extensive filtering capabilities. Capable of catching packets with specified restrictions.
Classification of sniffers
Sniffers are divided according to the method of use into legal and illegal. At the same time, the very concept of sniffers is applied specifically in relation to illegal use, while legal ones are called “Traffic Analyzer”.
In order to receive full information about the state of the network and understand what employees are doing at their workplaces; they use legal sniffers (traffic analyzers). The help of sniffers cannot be overestimated when it is necessary to “listen” to program ports through which they can send confidential information to their owners. For programmers, they help debug and interact with programs. Using traffic analyzers, you can promptly detect unauthorized access to data or a DoS attack.
Illegal use involves spying on network users; the attacker will be able to obtain information about which sites the user uses, sends data, and learns about the programs used for communication. The main purpose of “listening” to traffic is to obtain logins and passwords transmitted in unencrypted form.
Traffic analyzers differ in the following capabilities:
- Support for link layer protocols as well as physical interfaces.
- Quality of protocol decoding.
- User interface.
- Provide access to statistics, viewing traffic in real time, etc.
Source of threat
Sniffers can work on:
- Router – all traffic passing through the device can be analyzed.
- At the end node of the network, all data transmitted over the network is available to all network cards, but in standard operation mode, network cards for which the data is not intended simply do not notice it. Moreover, if we translate network card into promiscuous mode, it will be possible to receive all data transmitted on the network. And of course, sniffers allow you to switch to this mode.
Risk analysis
Any organization may be at risk of sniffing. At the same time, there are several options on how to protect an organization from data leaks. First, you need to use encryption. Secondly, you can use antisniffers.
Antisniffer – software or hardware working on the network and allowing you to find sniffers.
Using only encryption when transmitting data, it will not be possible to hide the fact of transmission. Therefore, you can use encryption in conjunction with an antisniffer.
In this article we will look at creating a simple sniffer for Windows OS.
Anyone interested, welcome to cat.
Introduction
Target: write a program that will capture network traffic (Ethernet, WiFi) transmitted over the IP protocol.Facilities: Visual Studio 2005 or higher.
The approach that is described here does not belong to the author personally and is successfully used in many commercial, as well as categorically free programs(hello, GPL).
This work is intended primarily for beginners in network programming, who, however, have at least basic knowledge in the field of sockets in general, and Windows sockets in particular. Here I will often write well-known things, because the subject area is specific, if I miss something, my head will be a mess.
I hope you find it interesting.
Theory (reading is not required, but recommended)
IN this moment The vast majority of modern information networks are based on the foundation of the TCP/IP protocol stack. TCP/IP protocol stack (Transmission Control Protocol/Internet Protocol) is a collective name for network protocols different levels, used in networks. In this article, we will be mainly interested in the IP protocol - a routed network protocol used for the non-guaranteed delivery of data divided into so-called packets (a more correct term is a datagram) from one network node to another.Of particular interest to us are IP packets designed to transmit information. This is enough high level network OSI data model, when you can isolate yourself from the device and data transmission medium, operating only with a logical representation.
It is completely logical that sooner or later tools for intercepting, monitoring, recording and analyzing network traffic should have appeared. Such tools are usually called traffic analyzers, packet analyzers or sniffers (from English to sniff - sniff). This is a network traffic analyzer, a program or hardware-software device designed to intercept and subsequently analyze, or only analyze, network traffic intended for other nodes.
Practice (substantive conversation)
At the moment, quite a lot has been created software to listen to traffic. The most famous of them: Wireshark. Naturally, the goal is not to reap his laurels - we are interested in the task of intercepting traffic by simply “listening” to a network interface. It is important to understand that we are not going to hack and intercept stranger traffic. We just need to view and analyze the traffic that passes through our host.Why this may be needed:
- View the current traffic flow through the network connection (incoming/outgoing/total).
- Redirect traffic for subsequent analysis to another host.
- Theoretically, you can try to use it to hack a WiFi network (we're not going to do that, are we?).
How so? Very simple.
A key step in making simple network application in the network analyzer is to switch the network interface to promiscuous mode, which will allow it to receive packets addressed to other interfaces on the network. This mode is forced network card accept all frames, regardless of who they are addressed to on the network.
Starting with Windows 2000 (NT 5.0), it became very easy to create a program to listen to a network segment, because her network driver allows you to switch the socket to the mode of receiving all packets.
Enabling Promiscuous Mode
long flag = 1; SOCKET socket; #define SIO_RCVALL 0x98000001 ioctlsocket(socket, SIO_RCVALL, &RS_Flag);Our program operates on IP packets and uses the Windows Sockets library version 2.2 and raw sockets. In order to gain direct access to an IP packet, the socket must be created as follows:
Creating a raw socket
s = socket(AF_INET, SOCK_RAW, IPPROTO_IP);Here instead of a constant SOCK_STREAM(TCP protocol) or SOCK_DGRAM(UDP protocol), we use the value SOCK_RAW. Generally speaking, working with raw sockets is interesting not only from the point of view of traffic capture. In fact, we get complete control over the formation of the package. Or rather, we form it manually, which allows, for example, to send a specific ICMP packet...
Go ahead. It is known that an IP packet consists of a header, service information and, in fact, data. I advise you to look here to refresh your knowledge. Let's describe the IP header in the form of a structure (thanks to the excellent article on RSDN):
Description of the IP packet structure
typedef struct _IPHeader ( unsigned char ver_len; // header version and length unsigned char tos; // service type unsigned short length; // length of the entire packet unsigned short id; // Id unsigned short flgs_offset; // flags and offset unsigned char ttl ; // lifetime unsigned char protocol; // protocol unsigned short xsum; // checksum unsigned long src; // sender IP address unsigned long dest; // destination IP address unsigned short *params; // parameters (up to 320 bits) unsigned char *data; // data (up to 65535 octets) )IPHeader;The main function of the listening algorithm will look like this:
Single packet capture function
IPHeader* RS_Sniff() ( IPHeader *hdr; int count = 0; count = recv(RS_SSocket, (char*)&RS_Buffer, sizeof(RS_Buffer), 0); if (count >= sizeof(IPHeader)) ( hdr = (LPIPHeader )malloc(MAX_PACKET_SIZE); memcpy(hdr, RS_Buffer, MAX_PACKET_SIZE); RS_UpdateNetStat(count, hdr); return hdr; ) else return 0; )Everything is simple here: we receive a piece of data using the standard socket function recv, and then copy them into a structure like IPHeader.
And finally, we start an endless packet capture loop:
Let's capture all packets that reach our network interface
while (true) ( IPHeader* hdr = RS_Sniff(); // processing the IP packet if (hdr) ( // print the header in the console ) )A bit offtopic
Here and below, the author made the RS_ (from Raw Sockets) prefix for some important functions and variables. I did the project 3-4 years ago, and I had a crazy idea to write a full-fledged library for working with raw sockets. As often happens, after obtaining some significant (for the author) results, the enthusiasm faded, and the matter did not go further than a training example.In principle, you can go further and describe the headers of all subsequent protocols located above. To do this, you need to analyze the field protocol in the structure IPHeader. Look at the example code (yes, there should be a switch, damn it!), where the header is colored depending on what protocol the packet has encapsulated in IP:
/* * Highlighting a package with color */ void ColorPacket(const IPHeader *h, const u_long haddr, const u_long whost = 0) ( if (h->xsum) SetConsoleTextColor(0x17); // if the package is not empty else SetConsoleTextColor(0x07) ; // empty package if (haddr == h->src) ( SetConsoleTextColor(BACKGROUND_BLUE | /*BACKGROUND_INTENSITY |*/ FOREGROUND_RED | FOREGROUND_INTENSITY); // "native" package for return ) else if (haddr == h->dest ) ( SetConsoleTextColor(BACKGROUND_BLUE | /*BACKGROUND_INTENSITY |*/ FOREGROUND_GREEN | FOREGROUND_INTENSITY); // "native" receive packet ) if (h->protocol == PROT_ICMP || h->protocol == PROT_IGMP) ( SetConsoleTextColor(0x70) ; // ICMP packet ) else if(h->protocol == PROT_IP || h->protocol == 115) ( SetConsoleTextColor(0x4F); // IP-in-IP packet, L2TP ) else if(h- >protocol == 53 || h->protocol == 56) ( SetConsoleTextColor(0x4C); // TLS, IP with Encryption ) if(whost == h->dest || whost == h->src) ( SetConsoleTextColor (0x0A); ) )
However, this is significantly beyond the scope of this article. For our training example, it will be enough to look at the IP addresses of the hosts from which and to which traffic is coming, and calculate its amount per unit of time (the finished program is in the archive at the end of the article).
In order to display IP header data, you must implement a function to convert the header (but not the data) of the datagram to a string. As an example of implementation, we can offer the following option:
Converting an IP header to a string
inline char* iph2str(IPHeader *iph) ( const int BUF_SIZE = 1024; char *r = (char*)malloc(BUF_SIZE); memset((void*)r, 0, BUF_SIZE); sprintf(r, "ver=% d hlen=%d tos=%d len=%d id=%d flags=0x%X offset=%d ttl=%dms prot=%d crc=0x%X src=%s dest=%s", BYTE_H (iph->ver_len), BYTE_L(iph->ver_len)*4, iph->tos, ntohs(iph->length), ntohs(iph->id), IP_FLAGS(ntohs(iph->flgs_offset)), IP_OFFSET (ntohs(iph->flgs_offset)), iph->ttl, iph->protocol, ntohs(iph->xsum), nethost2str(iph->src), nethost2str(iph->dest)); return r; )Based on the basic information given above, we get this small program (creepy name ss, short for simple sniffer), which implements local listening to IP traffic. Its interface is shown below in the figure.
I provide the source and binary code as is, as it was several years ago. Now I'm scared to look at it, and yet, it's quite readable (of course, you can't be so self-confident). Even Visual Studio Express 2005 will be sufficient for compilation.
What we ended up with:
- The sniffer operates in user mode, but requires administrator privileges.
- Packets are not filtered and are displayed as is (you can add custom filters - I suggest looking at this topic in detail in the next article if you are interested).
- WiFi traffic is also captured (it all depends on specific model chip, it may not work for you, like it did for me several years ago), although there is AirPcap, which can do this wonderfully, but costs money.
- The entire datagram stream is logged to a file (see the archive attached at the end of the article).
- The program runs as a server on port 2000. You can connect using telnet utilities to the host and monitor traffic flows. The number of connections is limited to twenty (the code is not mine, I found it on the Internet and used it for experiments; I didn’t delete it - it’s a pity)
Here is a good sniffer (network traffic analyzer, you can use it to intercept information), which will allow you to receive fairly complete information in a visual video about all packets passing through the protocol of your choice; in the full news you can easily download IP Sniffer. The developers have tried and made a more powerful program out of a regular sniffer, since it is now possible to filter the processed data and completely decode the entire contents of the packets.
IP Sniffer has a number of additional utilities, including quite good traffic monitoring, you can view in diagrams the IP addresses that are most often used, the same can be said about protocols. If you wish, you can work with the Address Determination Protocol, or better known as ARM - view it, delete various records, send responses. There is a function that helps you get a Netbios name for a given IP address. I would like to note the Netstat tool in IP Sniffer - it will display various types of network connections and you will have the option to force terminate the connections you select, which is quite convenient.
If you need to get complete information on the network adapter you are using, the program will help here too. Among other things, there is support for Spoofing various protocols, including ARP, which means support for intercepting traffic between different hosts. IP Sniffer can search for DHCP servers, there is a built-in service for issuing information on the IP addresses you need, you can convert IP to Hostname and, accordingly, vice versa, of course it is also possible to ping hosts and networks.
IP Sniffer does not require installation, can be launched from media, does not have Russian support, and has simple interface without support for changing snowflakes. In general, this is a development in front of you, I think for certain purposes it will be quite useful. Don’t forget to leave your opinions about this program, if anyone finds a use for it, share your impressions, and don’t forget that it is completely free.
Issue name: IP.Sniffer.1.99.3.6
Developer:
License: FreeWare
Language: English
Size: 7.16 MB
OS:Windows
Download:
- 7.16 MB
SmartSniff allows you to intercept network traffic and display its contents in ASCII. The program captures packets passing through network adapter and displays the contents of packets in text form (protocols http, pop3, smtp, ftp) and in the form of a hexadecimal dump. To capture TCP/IP packets, SmartSniff uses the following techniques: raw sockets - RAW Sockets, WinCap Capture Driver and Microsoft Network Monitor Driver. The program supports the Russian language and is easy to use.
Sniffer program for capturing packets
 |
SmartSniff displays the following information: protocol name, local and remote address, local and remote port, local node, service name, data volume, total size, capture time and last packet time, duration, local and remote MAC address, countries and data packet contents . The program has flexible settings, it implements the function of a capture filter, unpacking http responses, converting IP addresses, the utility is minimized to the system tray. SmartSniff generates a report on packet flows in the form HTML pages. The program can export TCP/IP streams.
A sniffer is not always malicious. In fact, this type The software is often used to analyze network traffic to detect and correct anomalies and ensure smooth operation. However, the sniffer can be used with malicious intent. Sniffers analyze everything that passes through them, including unencrypted passwords and credentials, so hackers with access to the sniffer can obtain users' personal information. In addition, the sniffer can be installed on any computer connected to the local network, without the need to install it on the device itself - in other words, it cannot be detected during the entire connection time.
Where do sniffers come from?
Hackers use sniffers to steal valuable data by monitoring network activity and collecting personal information about users. Typically, attackers are most interested in user passwords and credentials to gain access to online banking and online store accounts. Most often, hackers install sniffers in places where unprotected software is distributed. Wi-Fi connections eg in cafes, hotels and airports. Sniffers can masquerade as a network-connected device in a so-called spoofing attack to steal valuable data.
How to recognize a sniffer?
Unauthorized sniffers are extremely difficult to recognize virtually, as they can be installed almost anywhere, posing a very serious threat network security. Regular users often have no chance of recognizing that a sniffer is tracking their network traffic. It is theoretically possible to install your own sniffer that would monitor all DNS traffic for the presence of other sniffers, however, for the average user it is much easier to install anti-sniffing software or an anti-virus solution that includes protection of network activity in order to stop any unauthorized intrusion or hide their network activities.
How to remove a sniffer
You can use a highly effective antivirus to detect and remove all types of malware installed on your computer for sniffing purposes. However for complete removal sniffer, you must delete absolutely all folders and files related to it from your computer. It is also strongly recommended to use an antivirus with a network scanner, which will thoroughly check the local network for vulnerabilities and instruct on further actions if they are found.
How to avoid becoming a victim of a sniffer
- Encrypt all information you send and receive
- Scan your local network for vulnerabilities
- Use only verified and secure Wi-Fi networks
Protect yourself from sniffers
The first thing a user can do to protect themselves from sniffers is to use a high-quality antivirus like free antivirus Avast, which is capable of thoroughly scanning the entire network for security problems. An additional and highly effective way to protect information from sniffing is to encrypt all data sent and received online, including emails. mail. Avast SecureLine allows you to securely encrypt all data exchanges and perform online actions in 100% anonymity.