Use a network analyser to sniff the network

Like a microscope for a lab scientist, a network analyser is a must-have tool for any security professional. This excerpt from Kevin Beaver's "Hacking for Dummies, 2nd edition" describes using such an analyser to sniff the network.

This excerpt is from Chapter 9 - Network Infrastructure in "Hacking for Dummies, 2nd edition" written by Kevin Beaver and published by Wiley Publishing.

A network analyser is a tool that allows you to look into a network and analyse data going across the wire for network optimisation, security and/or troubleshooting purposes. Like a microscope for a lab scientist, a network analyser is a must-have tool for any security professional.

Network analysers are often generically referred to as sniffers, though that's actually the name and trademark of a specific product from Network Associates, Sniffer (the original commercial network analysis tool).

A network analyser is handy for sniffing packets off the wire. Watch for the following network traffic behaviour when using a network analyser:

  • What do packet replies look like? Are they coming from the host you're testing or from an intermediary device?

  • Do packets appear to traverse a network host or security device, such as a router, a firewall or a proxy server?

When assessing security and responding to security incidents, a network analyser can help you:

  • View anomalous network traffic and even track down an intruder.
  • Develop a baseline of network activity and performance, such as protocols in use, usage trends and MAC addresses, before a security incident occurs.

When your network behaves erratically, a network analyser can help you:

  • Track and isolate malicious network usage.
  • Detect malicious Trojan-horse applications.
  • Monitor and track down DoS attacks.

Network analyser programs

You can use one of the following programs for network analysis:

  • WildPackets EtherPeek is my favourite network analyser. It does everything I need and more and is very simple to use. EtherPeek is available for the Windows operating systems.

If you're going to be doing a lot of network analysis on both wired and wireless networks that may require the decoding of Gigabit Ethernet, WAN protocols, voice over IP (VoIP) and other advanced systems, you should check out WildPackets OmniPeek product line. OmniPeek offers an all-in-one solution to help you keep your network analysis costs down plus you get the benefit of being able to use one tool for everything.

  • TamoSoft's CommView and Sunbelt Software's LanHound are low-cost, Windows-based alternatives.

  • Cain and Abel is a free alternative for performing network analysis, ARP poisoning, Voice over IP capture/replay, password cracking and more.

  • Ethereal is a free alternative. I download and use this tool if I need a quick fix and don't have my laptop nearby. It's not as user-friendly as most of the commercial products, but it is very powerful if you're willing to learn its ins and outs. Ethereal is available for both Windows and UNIX-based operating systems.

  • ettercap is another powerful (and free) utility for performing network analysis and much more on both Windows and UNIX-based operating systems.

A network analyser is simply software running on a computer with a network card. It works by placing the network card in promiscuous mode, which enables the card to see all the traffic on the network, even traffic not destined for the network analyser's host. The network analyser performs the following functions:

  • Captures all network traffic
  • Interprets or decodes what is found into a human-readable format
  • Displays it all in chronological order

Here are a few caveats for using a network analyser:

  • To capture all traffic, you must connect the analyser to either
    • A hub on the network.
    • A monitor/span/mirror port on a switch.
    • A switch that you've performed an ARP poisoning attack on.
  • You should connect the network analyser to a hub on the outside of the firewall, as shown in Figure 9-13, as part of your testing so you can see traffic similar to what a network-based IDS sees:
    • What's entering your network before the firewall filters eliminate the junk traffic.
    • What's leaving your network after the traffic goes past the firewall.

Figure 9-13

Read more on Network security management