Difference between Spoofing and Packet Sniffing
Using somebody else's IP address to create TCP/IP packets is called spoofing
is an example of spoofing in which a sniffing program is on a segment between two communicating end points.
The intruder can therefore pretend to be one end of the connection to the victim and eavesdrop on data passed between the two end points.
Please use your own words to describe the sequence of library calls that are essential when using sniffer programs.
This is meant to be a summary, not detailed explanation like the one in the tutorial.
- Setting up device: Start with setting up the dev ice and deciding from which interface forexample X11 or eth0 to start capturing with.
It can be defined using a stringin the code for sniffer or sniffer decides the interface itself by picking up anactive interface automatically.
- Initialize Sniffing: Here in this step, after setting up a device for sniffing , sniffer Initialize PCAPand tell it to sniff on a particular device to create an environment for sniffingcalled as a session.
Even sniffing on multiple devices or interfaces or evenmultiple sniffing on a single device is possible and are managed as sessionsfor sniffing, One for each device.
- Traffic Filtering: For every session of sniffing you create you have to define any desire or rule,upon which packets are to be sniffed and analyzed.
For example if you wantto sniff HTTP traffic on a specific Interface of your computer , you will sniff TCP port 80 traffic on that interface (since http traffic uses port80),
you willwrite your requirement in filter string and then compile it to apply the rule. This is called filtering and it is possible to use a blank filter but in that case itwill be sniffing all packets and will be analyzing all fields.
- Execution /actual sniffing: Now finally here comes the execution part where sniffer is finallyexecuted.
Here we see that there are actually two main techniques to capture a packet, first is a packet is sniffed and then analyzed instantly whereas other is in which we enter into a loop that waits for n number of packets to be sniffed before
we go for analyzing part. Here sniffer used second technique in which PCAP waited for receiving any number of packets and upon receiving applied the desired rules or exercises that were defined in previous step.
It also stores the results as asked by the user that is either to display thepackets immediately or to save them in a file for future record.
Network Security Monitoring
A Windows workstation is vulnerable to having its network traffic intercepted and read by another workstation on the same LAN segment.
At one time, this threat was restricted to when the two workstations were on the same hub. Now, tools such as ettercap are available to attackers that will allow them to read the traffic in a switched environment. In a hub environment, the traffic can be read passively without the Windows user being affected. In the switched environment, the tools set up a man-in-the-middle attack, in which the traffic is intercepted, copied, and then sent on to the intended destination. Using packet sniffing, an attacker can read all the user's Internet traffic, including e-mail, instant messages, and Web traffic. With regard to Web traffic, the attacker sees every screen just as the user does.
The best Windows protection against packet sniffing is to use encryption whenever possible. The attacker can still intercept the traffic, but it will be encrypted and of no use.
IP spoofing is used by an intruder to convince a system that it is communicating with a known, trusted entity to provide the intruder with access to the system. IP spoofing involves an alteration of a packet at the TCP level, which is used to attack Internet-connected systems that provide various TCP/IP services. In this exploit, the attacker sends a packet with an IP source address of a known, trusted host instead of its own IP source address to a target host. The target host may accept the packet and act upon it.