SMT 2-6 Sniffing
Summary
TLDRThis script introduces the concept of packet sniffing, a technique used by network administrators and attackers to monitor data traffic. It explains how enabling promiscuous mode allows devices to capture all packets regardless of their destination. The video highlights the use of Wireshark, a popular packet analysis tool, for real-time network traffic analysis and emphasizes its various features, including filtering options, protocol hierarchy, and stream functionality, which are essential for security professionals and network administrators to troubleshoot and analyze network issues.
Takeaways
- 🕵️♂️ Sniffing is the act of monitoring all data packets through a specified network, akin to 'sneaking a peek' at data traffic.
- 🛠️ Network administrators use sniffing to monitor and troubleshoot network traffic, while attackers use it to steal sensitive information.
- 🔒 Sniffing compromises the confidentiality aspect of the CIA Triad, which stands for Confidentiality, Integrity, and Availability.
- 🌐 Promiscuous mode is a network setting that allows a device to accept all packets, regardless of whether they are intended for it.
- 🔄 In a hub network environment, sniffing is passive since all packets are broadcast to every device. In contrast, switches require active measures to sniff packets.
- 🔄 Enabling promiscuous mode changes a device's default behavior to process all packets, which is necessary for sniffing.
- 📈 Wireshark is a popular packet analysis tool used by security professionals and network administrators for real-time traffic analysis.
- 📊 Wireshark offers various analysis features, including protocol status, traffic analysis, and stream functions, which are valuable for diagnosing network issues.
- 🔍 Wireshark allows users to filter packet data using criteria such as IP addresses, MAC addresses, and TCP ports to focus on specific traffic.
- 📊 Protocol Hierarchy in Wireshark provides an overview of data traffic usage per protocol, helping identify active communication protocols.
- 🗣️ Conversations feature in Wireshark shows traffic records between communicating nodes, offering insights into traffic volume between specific nodes.
- 🔄 Follow stream feature in Wireshark is essential for analyzing the entire flow of a particular packet, supporting protocols like TCP, UDP, and HTTP.
Q & A
What is the definition of sniffing in the context of network security?
-Sniffing refers to the act of monitoring all data packets that pass through a specified network, akin to sneaking a peak at data coming and going from the network.
Why might network administrators attempt to sniff data?
-Network administrators may attempt to sniff data to monitor and troubleshoot network traffic, ensuring its proper functioning and identifying potential issues.
What is the impact of sniffing on the CIA Triad?
-Sniffing compromises the confidentiality aspect of the CIA Triad by potentially exposing sensitive information such as personal data.
What is promiscuous mode, and how does it relate to sniffing?
-Promiscuous mode is a setting on network devices that allows them to accept all packets, regardless of whether they are meant for the device. It is essential for sniffing as it enables the device to process packets not addressed to it.
How does the network environment affect how sniffing works?
-In a hub environment, packets are broadcast to everyone, making sniffing straightforward with promiscuous mode. However, in a switched environment, packets are forwarded point-to-point, requiring additional actions like attacking the spanning tree protocol to sniff.
What is the difference between a passive attack in a hub environment and an active attack in a switch environment?
-In a hub environment, sniffing is a passive attack as it does not require interaction with the network. In contrast, a switch environment requires active attacks, such as manipulating protocols, to facilitate sniffing.
What is the purpose of enabling promiscuous mode on all interfaces on a network?
-Enabling promiscuous mode on all interfaces allows the network to accept all traffic received regardless of the destination, which is necessary for sniffing in a hub environment where all packets must be received.
What is Wireshark, and how is it used in network analysis?
-Wireshark is a renowned packet analysis program and network traffic analysis tool. It is used by security professionals and network administrators to analyze traffic in real-time and troubleshoot network issues.
What are some of the features of Wireshark that make it a useful tool for network analysis?
-Wireshark offers features such as traffic analysis, protocol status analysis, various stream functions, and the ability to follow the entire flow of a particular packet, making it a comprehensive tool for network analysis.
How can one filter packet data in Wireshark to analyze specific information?
-In Wireshark, one can filter packet data using various options such as IP addresses (ip.src or ip.dst), MAC addresses (e.src or e.dst), TCP ports (tcp.port, TCP.SRCport, or TCP.DSTport), and protocol hierarchy to focus on specific communication data.
What is the 'follow stream' feature in Wireshark, and why is it useful?
-The 'follow stream' feature in Wireshark allows users to view the entire flow of a particular packet, supporting stream functionality for protocols like TCP, UDP, and HTTP. It is useful for analyzing packet flows when a single packet analysis is not sufficient.
What is the 'export objects' feature in Wireshark, and how does it assist in network analysis?
-The 'export objects' feature in Wireshark enables users to easily export files contained within packets. This assists in network analysis by allowing for further examination of file contents outside the tool.
Outlines
🕵️♂️ Understanding Network Sniffing and Wireshark
This paragraph introduces the concept of network sniffing, where data packets are monitored as they pass through a network. It highlights the dual use of sniffing by network administrators for monitoring and troubleshooting, and by attackers to compromise confidentiality by capturing sensitive information. The technical aspect of enabling promiscuous mode on devices to accept all packets is explained, contrasting the ease of sniffing in hub environments versus the additional steps required in switched environments, such as attacking the spanning tree protocol. The paragraph also touches on the use of Wireshark, a renowned packet analysis tool, which is freely available for real-time traffic analysis and offers various features like filtering options and protocol analysis to security professionals and network administrators.
📚 Advanced Wireshark Features and Exporting Data
The second paragraph delves into advanced features of Wireshark, emphasizing its capability to export objects found within packets, which is a valuable feature for further analysis or documentation. While the paragraph is brief, it suggests that Wireshark offers comprehensive tools for network analysis, including the ability to extract and utilize data from captured packets, thereby providing a more in-depth examination of network traffic and potential issues.
Mindmap
Keywords
💡Sniffing
💡Wireshark
💡Promiscuous Mode
💡Confidentiality
💡Hub Environment
💡Switch Environment
💡Packet
💡Filtering
💡Protocol Hierarchy
💡Conversations
💡Follow Stream
💡Export Objects
Highlights
Sniffing is monitoring all data packets through a specified network, akin to sneaking a peek at data traffic.
Network administrators use sniffing to monitor and troubleshoot network traffic.
Attackers use sniffing to steal sensitive information, compromising the CIA Triad's confidentiality.
Sniffing begins by enabling promiscuous mode, which alters the default network device behavior.
In promiscuous mode, devices accept all packets regardless of whether they are intended for them.
Hub environments allow easy sniffing by broadcasting packets to everyone, enabling promiscuous mode suffices.
Switch environments require additional actions for sniffing due to point-to-point packet forwarding.
Sniffing in a hub is a passive attack, whereas in a switch environment, active attacks like ARP poisoning are needed.
Promiscuous mode is essential for a device to receive all packets in a hub environment.
Enabling promiscuous mode with the 'config' command shows the option being added to the interface.
Wireshark is recommended for packet analysis, being a staple for many security professionals and network administrators.
Wireshark is a free tool that allows real-time network traffic analysis and generates additional insights.
Wireshark offers various features including traffic analysis, protocol status analysis, and stream functions.
Filters in Wireshark allow for the analysis of specific data among the packet data.
Basic filtering in Wireshark can be done using IP addresses and MAC addresses with specific syntax.
TCP port filtering in Wireshark helps distinguish between source and destination ports in TCP communication.
Protocol Hierarchy in Wireshark provides a detailed view of data traffic usage per protocol.
Conversations feature in Wireshark shows traffic records between two communicating nodes.
Follow stream in Wireshark is crucial for viewing the entire flow of a specific packet.
Export Objects feature in Wireshark allows for easy extraction of files contained within packets.
Transcripts
next let's take a look at the concept of
sniffing and wire
shock sniffing is the act of monitoring
all data packets through a specified
Network you can simply think of it as
sneaking a Peak at data coming and going
from the network network administrators
also attempt to sniff the data to
Monitor and troubleshoot Network traffic
attack is attempt to sniff out key
information such as personal information
it's an attack on the CIA Triad that
comp compromises confidentiality
sniffing starts with turning on
promiscuous mode by default most devices
are designed to accept packets coming
toward them and not process the packets
at a lower layer unless the packets are
meant for the said devices you can use
promiscuous mode to change these
settings if you enable this mode you can
accept all packets even if they are not
for
you how sniffing Works depends on your
network environment in a hub environment
packets are for to everyone so simply
enabling promiscuous mode enables
sniffing on the same network recently
however switch environments have been
used in many Network configurations and
packets have been forwarded Point too
requiring additional action for sniffing
if sniffing in a hub environment is a
passive attack the switch environment
should use methods such as attacking the
RP protocol to carry out an active
attack as I briefly explained earlier
promiscuous mode is a mode that that
accepts all packets all interfaces on
the network can accept all traffic
received regardless of
destination however because it is an
unnecessary Source it is usually
configured not to accept it all to sniff
on a network in a hub environment it
must be able to receive all packets even
if they are not directed to the device
therefore you must enable promiscuous
mode to accept all packets when enabled
all packets are received when it reaches
the device regardless of the destination
the following image shows you the
activation of the promiscuous mode the
above image shows the information on the
network interface using the config
command if you use the command in the
subtitle here promiscuous mode is
enabled on the interface named
e0 if you check again with if config
command as shown in the image below you
can see that the promiscuous option has
been
added if you are ready to sniff the
packet you will need a program to view
the packets I recommend you use wi shock
this is the most famous packet analysis
program and network traffic analysis
tool it has become an essential tool for
many Security Professionals on network
administrators it's free so anyone can
use it and analyze traffic in real time
it is convenient for analysts because it
generates additional information
primarily through various analyses in
addition there are many other functions
within the wihar program including
traffic analysis Pro protocol status
analysis and various stream functions
because of these advantages it is
recognized as a useful tool to solve
problems that arise in the
network to analyze packets using wies
shock it is important to filter out the
data you want to analyze among the
various packet data there are various
filtering options in wies shock but
let's find out how to filter with basic
information if you want to know more
about the filter options please refer to
the link below you can use p. add or to
filter IP addresses if you want to
filter The Source or destination of the
IP addresses correctly you can use ip.
SRC or ip. DST you can also use e. addr
to filter Mac addresses similarly if you
want to filter The Source or destination
of the Mac addresses correctly you can
use e. SRC or e. DST you can use TCP
port to filter ports in TCP
communication CR criteria or TCP SRC
port or TCP DST port to distinguish
ports by their Source or
destination next is the protocol
hierarchy this feature provides detailed
data traffic usage per protocol using
this feature you can see at a glance the
protocols where communication occurred
and you can find out which of the
protocols were
active next is conversations
this feature allows you to see traffic
records between two nodes that have
communication this allows you to see the
nodes where the communication occurred
and to see a glance how much traffic has
occurred between
them next is the follow stream this
feature is close to mandatory you can
use it to view the entire flow of a
particular packet it supports stream
functionality for many protocols such as
TCP UDP and HTTP when it's hard to
analyze just one packet it's useful to
see the
floor next is export objects this is
also a feature if you have a file in the
packet you can easily export it
Посмотреть больше похожих видео
Basics of Network Traffic Analysis | TryHackMe Traffic Analysis Essentials
Wireshark - Malware traffic Analysis
Advanced Wireshark Network Forensics - Part 1/3
Stratix 5800 Port Mirroring
Cisco Packet Tracer | Everything You Need to Know
CompTIA Security+ SY0-701 Course - 4.9 Use Data Sources to Support an Investigation.
5.0 / 5 (0 votes)