[NBLUG/talk] "Sniffing the Internet"

ME dugan at passwall.com
Tue Jul 29 13:16:01 PDT 2003


Todd Cary said:
> I am not that knowledgeable about the intracies of Internet protocols
> and security.

> Has the NBLUG discussed the topic of how people are able
> to "sniff" what goes in and out of someones computer?

> How the "bad
> guys" do their bad deeds?

These has been touched upon briefly in a number of meetings.

On the first question, you can only "sniff" a network segment where you
have an effective presence. The best examples of sniffing (IMHO) can be
demonstrated with two or more computers on a "Hub" or simple repeater. In
such a case, every packet sent to the hub is repeated to every computer on
the network. It is up to the computers (hardware), and their configured OS
to determine if the packet should be passed up through the layers to an
application. Imagine a room filled with a bunch of people talking and you
are in this room. You can hear everyone speaking and can choose to
eavesdrop on any other person in the room who is speaking. Your ears and
brain can separate one voice and conversation from another. Use of extra
technology (parabolic microphone) can further aid you to distinguish one
conversation from another.

A layer 2 "etherswitch" increase the bar a bit to make eavesdropping like
this a little more difficult. A layer 2 switch is different from a hub in
that hosts on ports can have conversations without having their packets
flooded to all other ports all of the time -- their packets primarily flow
only between the two people talking. This is kind of like having a hotel
with guests who wall wish to talk to different guests. A hotel operator
decides what paths should be created by connecting one room to converse
with another room. However, if you know something about the operator or
the controls for "connecting" rooms for conversations, you can convince
the operator or the system used by the operator to pass conversations to
you as well. Active work is required to sniff a switch.

At layer 3, you have some switches (I'll ignore) and routers. You can't
sniffer beyond a router unless you have a presence in the network beyond
the router to be sniffed. That presence can be willing or unwilling, but a
presence must exist for sniffing to work beyond a router. (Yes, this
includes source routed packets where your proxy may be either end.)

When Cable-modems first came out, they used an effective "hub" or
repeater-based system. (Repeater is a better word since we are talking a
bus-based network using coax here and hub is usually star-topology.) This
permitted early users of CableModems to (when in windows) "browse their
network neighborhood" or (when in MacOS) "browse with the AppleShare
chooser for appletalk zones" or (when in *nix) "browse either of these and
others." You could see other machines sharing your network segment (in
this case "collision domain") and watch their traffic.

After complaints about lack of privacy were made, cable companies shifted
to use a system that was more like a Layer 2 switch to make sniffing more
difficult, and now, I think many are using VPN or other layers to make
sniffing less interesting.

You can only sniff a network when you:
1) Have a presence on that network (Including remote sniffer/relay proxy)
2) That presence can see packets that were not meant for it (by passive or
active means.)

On the second question: "How the "bad guys" do their bad deeds?"

Computer Security is a topic that is probably wider than it is deep, and
it is a very wide topic. If you have an inclination for it, there is going
to be a computer Security Conference in Las Vegas, NV this weekend. They
discuss several of the issues that are part of computer security. (
http://www.defcon.org/ ) and have several tracks depending upon your skill
level.

Simple answer to "How the "bad guys" do their bad deeds?"

They do their "bad deeds" when you or other people make mistakes in what
you choose to trust. Much of computer security has to do with establishing
trusts, and alternate used leveraging your assumptions of trust against
you.

> It would be a topic that would interest me - especially in light of the
> attention these days to security.
>
> Curious.....

It would be better to limit the focus to one or two things in computer
security. We have had talks from Augie on GPG which is meant to aid a kind
of security (privacy and/or authenticity.) We have had talks from Devin
and Frank on Firewalls (limiting access) and another talk from Frank on
steps to improve local host security, and introduction to kernel
modification (Solar Designer's Kernel Security Enhancements patch to a
kernel.)

A single discussion on tcpdump or ethereal and/or wardriving could take
more than one meeting to discuss. What specific topics would be of
interest to you? The next question would be, "can we find someone willing
to speak on that topic? I have bugged Error about speaking in November on
WarDriving (a special kind of wireless sniffing where people look for open
wireless access points that can be used to gain access to network and
resources.) However, Error is busy with travel plans, and has not
committed to this. If you know anyone who has free time to discuss this,
have them contact us so we can schedule a presentation. :-)

-ME





More information about the talk mailing list