«
»

Network Sniffer Limitations

2008-12-30 Initial Post

Data travelling in clear text is vulnerable to network sniffers, but technologies such as network switches and VLANs make it difficult to actually sniff all packets. Switches and VLANs contain broadcast traffic. That means that the sniffer must be on a segment that is able to receive traffic sent to all segments. In practice this is not easy to do, especially in large networks.

To sniff all Internet traffic to/from a particular organization, the sniffer must be on the same segment as the organization's Internet router. This way it could sniff all packets sent to the MAC address of the router. But in the practice, this can be difficult since the Internet router would most likely be in a locked area with physical security.

These limitations also make man-in-the-middle attacks more difficult. Unless all nodes were on one hub, sniffing and MITM attacks are difficult to set up.

##### From http://www.wireshark.org/faq.html#q7.1 on 2008-12-30:

On a switched network, unicast traffic between two ports will not necessarily appear on other ports - only broadcast and multicast traffic will be sent to all ports.

Some switches have the ability to replicate all traffic on all ports to a single port so that you can plug your analyzer into that single port to sniff all traffic. [This is called port mirroring or port monitoring.]

Note also that many firewall/NAT boxes have a switch built into them; this includes many of the "cable/DSL router" boxes. If you have a box of that sort, that has a switch with some number of Ethernet ports into which you plug machines on your network, and another Ethernet port used to connect to a cable or DSL modem, you can, at least, sniff traffic between the machines on your network and the Internet by plugging the Ethernet port on the router going to the modem, the Ethernet port on the modem, and the machine on which you're running Wireshark into a hub (make sure it's not a switching hub, and that, if it's a dual-speed hub, all three of those ports are running at the same speed. #####

This entry was posted on Saturday, February 6th, 2010 at 12:26 PM and is filed under IT Security, Networking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

CAPTCHA

*