Kismet display of wireless network monitoring.

Network Monitoring and Packet Sniffing Tools

How to Monitor Traffic on the Network

Gregory Evans simply copied and pasted this entire page of mine to make up a large section of Chapter Two of his book How To Become The World's Number 1 Hacker. He included a couple of misspellings or wording errors that I hadn't happened to notice (now fixed here), and, most clumsily, the sentence "Also see the COMSEC section of another page of mine for details on how GSM encryption can be broken."

Evans' book contains a lot of plagarized text in addition to untrue claims about the background and experience of its "author". See the detailed analysis of his plagarism here and here, and an investigation of his background here. Meanwhile, you can enjoy my original version with its corrections and updates for free!

This page has been clumsily copied and pasted into this book.

Network monitoring or packet sniffing tools are like many other infosec tools. They can be used for good or evil, it all depends on the intent of the user!

I cannot imagine how you could claim to do LAN troubleshooting without capturing packets at times. At the same time, protocols that move sensitive data as cleartext are commonly used (POP and IMAP with the user's account name and password, and FTP and even TELNET are still used a surprising amount), and the bad guy could easily capture user authentication information (login and password) or other sensitive data (complete contents of shared files, copies of every print job submitted, and so on).

So, you have to use these to maintain your networks, and you need to realize that the bad guys could use these against you.

There are various categories of network monitoring tools:

Packetstorm has a wonderful archive of network monitoring tools.

LAN Monitoring Tools

UNIX / Linux / BSD / Mac OS X LAN Monitoring Tools

DOS/Windows LAN Monitoring Tools

Wireless LAN/WAN Monitoring and Attacks on WEP and WPA

Wikipedia has a very useful introduction to wireless networking and the security issues.

Kismet sniffing packets and detecting wireless activity.  Running in a BSD xterm window.

Kismet running in an OpenBSD xterm window, sniffing packets and observing wireless network activity at the Greyhouse coffeeshop in West Lafayette, Indiana. And yes, they really want you to use their WLAN, so you'll hang out there and buy more coffee.

Note that wireless monitoring tools can be extremely dependent on chipset. Make sure that your planned software and WLAN card will get along!

The Trifinite Group has information on wireless security, including RFIDiot and other RFID security tools and information at trifinite.org.

Also see the COMSEC section of another page of mine for details on how GSM encryption can be broken. Really. It can. GSM salesmen don't want you to know this, but it's true.

D-Link TM-G5240 WLAN wireless router, Cisco EZXS88W switch, MFJ-1278 multi-mode data controller.

D-Link TM-G5240 802.11g wireless router, Cisco EZXS88W 8-port Ethernet switch, and MFJ-1278 multi-mode data controller.

Free wireless sniffers for Linux and BSD

Kismet is great for WLAN surveillance. It displays all wireless access points (WAPs) and WLAN nodes it detects, showing channel, use of encryption, signel strength and more. Get it from freecode.com and kismetwireless.net.
AirSnort captures wireless LAN packets and then recovers the encryption keys. Get it from freecode.com and airsnort.shmoo.com.
BSD-Airtools is a BSD-specific 802.11 auditing toolkit.
Aircrack-ng Aircrack (old) WaveStumbler Wellenreiter

Free wireless sniffers for Android

Fing — Network Tools Shark for Root — tshark for Android Shark Reader WiEye — WiFi Scanner WiFi Tracker Wigle WiFi Wardriving Network Signal Info Meraki WiFi Stumbler SDR Touch — 50-2200 MHz receiver

Free wireless sniffers for Mac OS X

KisMAC looks to be the most powerful utility, with all the features of the other MacOS ones and even more.
MacStumbler iStumbler

Free wireless sniffers for Windows

Net Stumbler Aircrack-ng Aircrack (old)

Commercial tools — divided into categories:

WLAN attack tools:

Antennas, access point modification, building your own WLAN hardware, etc.

WPA2 / 802.11i

Here's my page on setting up WPA2 / 802.11i wireless security.

Beware a false sense of security based on switches

Tapping Optical Fiber

Optical fiber can be tapped without splicing. You can read the data by removing some of the sheath and gently bending the fiber in a bend coupler. You can supposedly buy them for a few hundred US$, search for optical+fiber+tap at eBay.

There are claims that optical taps have been found on police networks in the Netherlands and Germany, and the FBI investigated one discovered on Verizon's network in the US.

For more see:

Eavesdropping Via Light, Audio, and Other Unusual Means

Interactive keyboard use can be "eavesdropped" by means you might not expect.

Consider the relative difficulty or ease of touch-typing different character sequences on a standard QWERTY keyboard: F-J would be very fast (home key on left hand then home key on right hand, easy and fast) while 2-X would be very slow (extreme reaches for the same finger, awkward and slow).

So, a good typist may have a high aggregate rate of characters per minute, but the inter-character spacings are going to vary. A given two-character or longer sequence is not always going to be exactly the same, but over time the distribution is going to be fairly distinctive.

Measure the inter-character times and you have the data needed for bigram analysis. You won't recover 100% of the cleartext, but with adequate data and quality typing of large blocks of text, you will recover some.

So how can you measure the inter-character times?

Vladimir Putin in mirrored sunglasses.

Never send a human to do a machine's job. But watch those reflections, Vladimir Vladimir'ich.

Like so much of information theory, this isn't entirely new. A Morse code operator might be recognized by a distinctive "fist" or slight imperfection in their keying cadence.

There there are more "movie-style" threats. Jan-Michael Frahm of the University of North Carolina at Chapel Hill is the head of the 3D Computer Vision Group there. His group has developed their iSpy system, which can identify text typed on touchscreens from video footage of the screen itself or of its reflection in windows or even in sunglasses. Their paper is available here. Their system was described in New Scientist, 29 October 2011, pp 22-23.

They say that they can use video from an ordinary mobile phone up to 3 meters away, but a digital SLR camera shooting HD video could read screens up to 60 meters away. Their approach takes advantage of the fact that the targeted platforms magnify the virtual keys. It isn't perfect, but they get over 90% copy of what is typed on these ever more prevalent interfaces.

Other Side-Channel Attacks

The paper RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis explains how the authors extracted full 4096-bit RSA decryption keys from laptop computers running the GnuPG implementation of RSA by listening to the high-pitched sounds generated by vibration of components within the processor. An ordinary smart phone could be used to collect the audio. Similar attacks can use the electrical potential of the computer chassis, possibly using the ground wires at the remote end of VGA, USB or Ethernet cables. Non-technical overviews are available here and here.

The significant attacks on virtualization security use side-channel attacks. See this page for the details.

Detecting Packet Sniffing Attacks

For suggestions on spotting sniffer attacks, see the discussion in an older CERT advisory. One method would be to send out an Ethernet frame to MAC destination address that is not in use on your network. Inside of that is an IP datagram to which a typical host would reply. The NIC would normally have filtered out (that is, ignored or dropped) that frame because it was sent to some other unicast MAC address. But since its chipset is in promiscuous mode, the filtering is turned off and the IP datagram is passed to the operating system. The operating system then replies, and now you know that host has its interface in promiscuous mode. The sniffer detection relies on tricking the host with a promiscuous interface into reporting itself.

To detect network interfaces in promiscuous mode: