Understand-Evidence-Gathering-via-Sniffing

Understand Evidence Gathering via Sniffing

Leave a Comment / CHFI / By

Understand Evidence Gathering via Sniffing in this aerticle a computer connected to the LAN has two addresses. One is that the MAC address that specifically identifies each node within the network and is stored on the network card itself. The ethernet protocol uses the MAC address while building “frames” to exchange the info among the systems. the opposite is that the IP address employed by the applications. The data-link layer uses an ethernet header with the MAC address of the destination machine rather than the IP address. The network layer is liable for mapping IP network addresses to the MAC address, as needed by the data-link protocol. It initially looks for the MAC address of the destination machine during a table, usually called the ARP cache. An ARP broadcast of an invitation packet goes bent all machines on the local sub-network when no entry for the IP address are often found. The machine that has that specific address responds to the source machine with its MAC address and MAC address adds to the source machine’s ARP cache. The source machine then uses this MAC address altogether its communications with the destination machine.

There are two basic sorts of ethernet environments, and sniffers work slightly differently in both of those environments. the 2 sorts of ethernet environments are shared ethernet and switched ethernet.

Sniffing Tool: Wireshark (Cont’d)

Wireshark may be a GUI network protocol analyzer. It lets the user interactively browse packet data from a live network or from a previously saved capture file. Wireshark’s native capture file format is in libpcap format, which is additionally the format employed by tcpdump and various other tools. additionally, Wireshark can read capture files from snoop and atmsnoop, Shomiti/Finisar Surveyor, Novell LANalyzer, Network General/Network Associates DOS-based Sniffer (compressed or uncompressed), Microsoft Network Monitor, and so on.

Wireshark doesn’t require identification of the sort of file the user is reading; it’ll determine the file type by itself. Wireshark is additionally capable of reading any file format that’s compressed by using gzip. Wireshark recognizes this directly from the file; the .gz extension isn’t required for this purpose. Like other protocol analyzers, Wireshark’s main window shows three views of a packet. It shows a summary line, briefly describing what the packet is. It shows a protocol tree allowing the user to drill right down to the precise protocol, or field, that he or she is curious about. Finally, a hex dump shows the user exactly what the packet seems like when it goes over the wire.

In addition, Wireshark has other features. It can assemble all the packets during a TCP conversation and show the user the ASCU (or EBCDIC, or hex) data therein conversation. Display filters in Wireshark are very powerful. The pcap library performs packet capturing. The capture filter syntax follows the principles of the pcap library. This syntax is different from the display filter syntax.

Compressed file support uses the zlib library. If the zlib library isn’t present, Wireshark will compile, but are going to be unable to read compressed files. The -r option are often wont to specify the path name for reading a captured file or to specify the trail name as a command-line argument.

Features include the following:

  • Allows browsing of captured network data
  • Captures files compressed with gzip and may decompress them
  • Coloring rules are often applied to the packet list for quick, intuitive analysis
  • Enables exporting output to XML, PostScript, CSV or plaintext

Follow TCP Stream in Wireshark

While working with TCP based protocols, it are often helpful to see the info from a TCP stream within the way that the appliance layer sees it if the investigator is trying to find passwords during a Telnet stream or trying to form sense of a knowledge stream. Only a display filter could also be needed to point out only the packets of that TCP stream. If so, Wireshark’s ability to follow a TCP stream are going to be useful.

The user must simply select a TCP packet within the packet list of the acceptable stream/connection then select the Follow TCP Stream menu item from the Wireshark Tools. Wireshark will set an appropriate display filter and pop up a dialog box with all the info from the TCP stream laid call at order, as shown within the below figure.

The stream content is displayed within the same sequence because it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue. However the colours are often changed. These colors within the “Colors” page if the “Preferences” dialog.

Non-printable characters are going to be replaced by dots.

The stream content won’t be updated while doing a live capture. to urge the newest content, the user is required to reopen the dialog.

Related Product : Computer Hacking Forensic Investigator | CHFI

You can choose between the subsequent actions:

  1. Save As:  Save the stream data within the currently selected format.
  2. Print: Print the stream data within the currently selected format.
  3. Direction: Choose the stream direction to be displayed (“Entire conversation”, “data from A to B only” or “data from B to A only”).
  4. Filter out this stream: Apply a display filter removing the present TCP stream data from the display.
  5. Close: Close this panel, leaving the present display fitter in effect You can prefer to view the info in one among the subsequent formats:
  6. ASCII: during this view you see the info from each direction in ASCII. Obviously best for ASCII based protocols, e.g. HTTP.
  7. EBCDIC: For the big-iron freaks out there.
  8. HEX Dump: this enables you to see all the info. this may require tons of screen space and is best used with binary protocols.
  9. C Arrays: this enables you to import the stream data into your own C program.
  10. Raw: this enables you to load the unaltered stream data into a special program for further examination. The display will look an equivalent because the ASCII setting, but “Save As will end in a computer file.

Display Filters in Wireshark

Wireshark features a huge array of display filters. They alloy drilldown to the precise traffic needed and are the idea of the many Wire hark features.

Display filtering by protocol:

Type the protocol within the Filter box, for example: arp, http, tcp, udp,dns

Monitoring the precise ports:

tcp.port= =23
ip.addr= =192.168.1.100 machine ip.addr= =192.168.1.100 &&tcp.port=23

Filtering by multiple IP addresses:

ip.addr == 10.0.0.4 or ip.addr == 10.0.0.5

Filtering by IP address:

 ip.addr == 10.0.0.4

Other filters:

ip.dst == 10.0.1.50 &&frame.pkt_len > 400
ip.addr == 10.0.1.12 &&icmp&&frame.number > 15 &&frame.number < 30 ip.src-205==153.63.30 or ip.dst==.205.153.63.30

Sniffing Tool: Steel Central Packet Analyzer

SteelCentral Packet Analyzer may be a packet analysis and reporting solution with an intuitive graphical interface. we will use this tool with locally-presented trace files or remote SteelCentral™ NetShark devices, or SteelHead/SteelFusion running NetShark. SteelCentral Packet Analyzer identifies and troubleshoots network and application performance issues right down to the bit level through Packet Analyzer’s full integration with Wireshark.

Features:

  • High-speed packet analysis to rapidly detect problems
  • Analyze multi-terabyte files quickly
  • Professional reporting that everybody can understand
  • No charge for multi-segment analysis
  • Seamless integration with Wireshark

Sniffing Tool: TCPdump/Windump

1. Tcpdump

Tcpdump prints out an outline of the contents of packets on a network interface that match the Boolean expression. It can run with the -w flag, which causes it to save lots of the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file instead of read packets from a network interface. altogether cases, tcpdurnp processes only packets that match the expression.

Tcpdump will, if not run with the -c flag, continue capturing packets until it’s interrupted by a SIGINT signal (generated, for instance, by typing your interrupt character, typically control-C) or a SIGTERM signal (typically generated with the kill(1) command); if run with the -c flag, it’ll capture packets until it’s interrupted by a SIGINT or SIGTERM signal or if the required number of packets are processed.

When tcpdump finishes capturing packets, it’ll report counts of:

  • Packets “captured” — this is often the amount of packets that tcpdump has received and processed.
  • Packets “received by filter” — The meaning of this depends on the OS running tcpdump, and possibly on the way the OS was configured. If a filter was specified on the command line:
     On some OSes, it counts packets no matter whether the filter expression matches them or not and, albeit they were matched by the filter expression, no matter whether tcpdump has read and processed them yet.
    On some OSes, it counts only packets matched by the filter expression no matter whether tcpdump has read and processed them yet.
    On some OSes, it counts only packets matched by the filter expression and processed by tcpdump).
  • Packets “dropped by kernel” is that the number of packets that were dropped thanks to a scarcity of buffer space, by the packet capture mechanism within the OS running tcpdump, if the OS reports that information to applications; if the knowledge is riot reported, it’ll be reported as 0.
  • On platforms that support the SIGINFO signal, like most RSDs (including Mac OS X) and DigitaljTru64 UNIX, it’ll report those counts when it receives a SIGINFO signal (generated, for instance, by typing the “status” character, typically control-T, although on some platforms, like Mac OS X, the “status” character isn’t set by default; then, the user must set it with sty (1) so as to use it) and can continue capturing packets.

2. WinDump

WinDump is that the Windows version of tcpdump, the instruction network analyzer for UNIX. WinDump is fully compatible with tcpdump and is employed to observe, diagnose, and save to disk network traffic consistent with various complex rules. It can run under Windows 95, 98, ME, NT, 2000, XP, 2003, and Vista.

Packet Sniffing Tool: Capsa Network Analyzer

Capsa may be a portable network analyzer for both LAN and WLAN that performs packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. It provides visibility to the whole network, and helps network administrators or network engineers pinpoint and resolve various application problems.

Features:

  • Identify and analyze quite 300 network protocols, also as network applications based on the protocols.
  • Monitor network bandwidth and usage by capturing data packets transmitted over the network and providing summary and decoding information about these packets.
  • View network statistics, allowing capture and interpretation of network utilization data.
  • Monitor Internet, email, and instant messaging traffic, helping keep employee productivity to a maximum.
  • Diagnose and pinpoint network problems by detecting and locating suspicious hosts. a Map out the details, including traffic, IP address, and MAC of each host on the network, allowing for easy identification of each host and the traffic that passes through each.
  • Visualize the entire network in an ellipse that shows the connections and traffic between each host.

Network Packet Analyzer : OmniPeek Network Analyzer

OmniPeek gives network engineers real-time visibility and expert analysis into every part of the network from a single interface, including Ethernet, Gigabit, 10 Gigabit, 802.11a/bigh wireless, VoIP, and video to remote offices. By using OmniPeek’s intuitive user interface and the “top-down” approach to visualize network conditions, network engineers can analyze, drill down and fix performance bottlenecks across multiple network segments, maximizing uptime and user satisfaction.

Features:

  • Network performance management and monitoring of networks, including network segments at remote offices
  • Monitoring of key network statistics in real time, aggregating multiple files, and instantly drilling down to packets using the “Compass” interactive dashboard
  • Seamless management of all OmniEngine software probes, and Omnipliance and TimeLine network recorders in the network
  • Integrated support for Ethernet, Gigabit, 10 Gigabit, 802.11413/gin wireless (including 3-stream), VolP, video, MPLS, and ULAN
  • Intuitive drill-down to understand which nodes are communicating, which protocols and sub-protocols are being transmitted, and which traffic characteristics are affecting network performance
  • Complete voice and video over IP real-time monitoring, including high-level multimedia dashboard, call data record (CDR) and comprehensive signaling and media analyses

Network Packet Analyzer: Observer

Observer is a software used for troubleshooting in a network. It has features such as expert analysis, VoIP tools, in-depth application analysis, connection dynamics, stream reconstruction, and more, in addition to offering support for 5N MP and RIV1ON device management.

Users can generate and share reports via the web, add custom decode modules for use in proprietary environments, and extract data from external sources using SOAP.

TCP/IP Packet Crafter: Colasoft Packet Builder

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check the network protection against attacks and intruders. The tool includes an editing feature. Besides allowing common HEX editing of raw data, it features a decoding editor that allows for editing-specific protocol field values.

The users can edit decoding information in two editors: Decode Editor and Hex Editor. The tool allows users to select one of the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet, and UOP Packet, and change the parameters in the decoder editor, hexadecimal editor, or ASCII editor to create a packet.

Network Packet Analyzer: RSA NetWitness Investigator

NetWitness Investigator captures live traffic and processes packet files from virtually any existing network collection device for analysis. The tool can locally process packet files and record in real time from a network tap or span port with immediate insight into network traffic. The tool is the primary interactive application of the NetWitness App Suite.

Additional Sniffing Tools

1. Ace Password Sniffer

Ace Password Sniffer is a password recovery utility that captures the forgotten passwords, It is used to monitor the web activities and monitor password abuse. The tool supports and captures passwords through http, ftp, smtp, pop3, and telnet, including some web mail password. Ace Password Sniffer works passively and does not generate any network traffic; therefore, it is very hard for others to detect it. The tool requires any additional software on the target PCs or workstations if the network is connected through switch, thereby allowing the user to run the sniffer on the gateway or proxy server, which bears all network traffic.

It also acts as a stealth-monitoring utility and is useful to recover the network passwords, to receive network passwords of children for parents, and to monitor passwords abuse for server administrators.

2. IPgrab

IPgrab is a verbose packet sniffer for UNIX hosts.

3. Big Mother

Big Mother is a switchsniff with zero configurations used as an Internet activity monitoring tool. Big Mother is an eavesdropping program that uses a switch sniffer to capture and analyze communication traffic over a network. The tool not only logs in real time URL visits, email, chats, games, FTP, and data flows but also takes webpage snapshots, duplicates email and FTP copies, records MN messenger content, and gives statistical reports. It freely restricts online activities with time schedules and according to customized filtering Internet rules.

The program will set up itself and perform content monitoring and access control to keep family members or employees accountable for their actions.

4. EtherDetect Packet Sniffer

EtherDetect Packet Sniffer is a sniffing tool that can capture full packets organized by TCP connections or UDP threads and passively monitor the network, with any program installations on target PCs. The tool enables packet viewing in Hex format and syntax highlighting viewer.

Features:
  • Organizes captured packets in a connection-oriented view
  • Captures IP packets on the LAN with nearly no packets losing.
  • Functions as a real-time analyzer, enabling on-the-fly content viewing while capturing and analyzing.
  • Enables parse and decode a variety of network protocol.
  • Supports saving captured packets for reopening afterward.
  • Allows syntax highlighting for application data in the format of HTML, HTTP, and XML.

5. dsniff

dsniff is a tool for network auditing and penetration testing. Dsniff passively monitors a network for data, passwords, e-mail, files, etc. Further, arpspoof, do spoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. Moreover, sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

6. EffeTech HTTP Sniffer

EffeTech HTTP Sniffer is a HTTP packet sniffer, protocol analyzer, and file reassembly software based on windows platform. Unlike most other sniffers, this sniffer dedicates itself to capture IP packets containing HTTP protocol, rebuild the HTTP sessions, and reassemble files sent through HTTP protocol. Its smart real-time analyzer enables on-the-fly content viewing and captures, analyzes, parses, and decodes HTTP protocol.

By delivering an easy to use and award-winning HTTP monitoring utility, the EffeTech HTTP sniffer has become the preferred choice of managers, network administrators, and developers worldwide. Information about HTTP traffic can received by all via LAN.

7. Ntopng

Ntopng is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. Ntopng is based on libpcap, and it runs on every Unix platform, MacOSX and on Windows. Ntopng users utilize a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng acts as a simple RMON-like agent with an embedded web interface.

Features:
  • Sorts network traffic according to many criteria, including IP address, port, L7 protocol, throughput, AS.
  • Shows network traffic and IPv4/v6 active hosts.
  • Produces reports about various network metrics such as throughput, application protocols
  • Stores on disk persistent traffic statistics in RRD format
  • Geo-locates hosts and displays reports according to host location
  • Characterizes HTTP traffic by leveraging on characterization services provided by Google and HTTP Blacklist.
  • Shows IP traffic distribution among the various protocols
  • Analyses IP traffic and sorts it according to the source/destination.
  • Produces HTML5/AJAX network traffic statistics.

8. Ettercap

Ettercap is a comprehensive suite for man-in-the-middle attacks. The tool features sniffing of live connections, content filtering on the fly, and many other interesting tricks. Ettercap supports active and passive dissection of many protocols and includes many features for network and host analysis.

9. SmartSniff

SmartSniff is a network monitoring utility that captures TCP/IP packets that pass through the network adapter and displays the captured data as a sequence of conversations between clients and servers. The tool allows viewing the TCP/IP conversations in Ascii or as hex dump.

10. EtherApe

EtherApe is a graphical network monitor for UNIX modeled after etherman. The tool features link layer, IP and TCP modes, and graphically displays network activity. Hosts and links change in size with traffic. Color-coded protocols display. EtherAPE supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devices, plus several encapsulation formats. It can filter traffic and can read packets from a file as well as live from the network. It can also export node statistics.

11. Network Probe

Network Probe is the network monitor and protocol analyzer to monitor network traffic tool. It can find the sources of any network slow-downs. The tool displays the protocols used on your network, which hosts are sending and receiving data, where the traffic is coming from, and when all this happens. The Network Probe allows configuring in such a way that it can notify if anything out of the ordinary happens and can proactively fix the problem before it grows into a serious one

12. WebSiteSniffer

WebSiteSniffer is a packet sniffer tool to capture all Web site files downloaded by the Web browser while browsing the Internet and stores them on your hard drive under the base folder that you choose. WebSiteSniffer allows the users to capture any required type of Web site files: HTIVIL Files, Text Files, XML Files, C55 Files, Video/Audio Files, Images, Scripts, and Flash (.swf) files. While capturing the Web site files, the main window of WebSiteSniffer displays general statistics about the downloaded files for every Web site/host name, including the total size of all files (compressed and uncompressed) and total number of files for every file type.

13. IC Q Sniffer

ICQ Sniffer is a network utility that can capture and log ICQ chat from computers within the same LAN. It supports messaging through 1(0 server with format of plain text, RTF, or HTML. It provides a report system to export captured IC Q conversations as HTIV1L files for later analysis and reference.

15. MaaTec Network Analyzer

The MaaTec Network Analyzer is a tool that allows capturing, saving, and analyzing network traffic on a LAN or a DSL internet connection. We can use this tool for network troubleshooting, to analyze the existing network infrastructure, or for long-term network monitoring.

Features:
  • Unique new packet information display in split window
  • Supports multiple network cards in one or multiple windows
  • Reports with charts and multiple data tables
  • Provides support for files that are larger than 2 GB
  • Enables online view of incoming packets

Also Read : Investigation of Network Traffic

16. Alchemy Network Monitor

Alchemy Eye monitors network server availability and performance. It supports over 50 monitoring types, including, but not limited to ICMP ping, NT Event Log monitoring, FITTPS/FTP URL checking, free disk space monitoring, etc. Alchemy Eye notifies the Network Administrator about server malfunction events. It logs application events to a log file. Different log file detail levels (none/normal/full) and log file formats (text, HTML, CSV, SQL database) can be configured using the application.

17. Corn m View

CommView is a network monitor and analyzer designed for LAN administrators, security professionals, network programmers, home users, and anyone who wants a full picture of the traffic flowing through a PC or LAN segment. The application captures every packet on the wire to display important information such as a list of packets and network connections, vital statistics, and protocol distribution charts.

CommView allows the users to examine, save, filter, import, and export captured packets, view protocol decodes down to the lowest layer with full analysis of supported protocols. With the information, CommView can help the users pinpoint network problems and troubleshoot software and hardware.

18. NetResident

NetResident is a network content analysis application designed to monitor, store, and reconstruct network events and activities, such as e-mail messages, web pages, downloaded files, instant messages, and VoIP conversations. NetResident saves the data to a database, reconstructs it, and displays the content in a simple format.

Features
  • In-depth, real-time view of network traffic and storage of data in a database
  • Deep packet inspection: state-of-the-art technology for searching, identifying, and reconstructing many protocols and data types: HTTP, POP3, SMTP, FTP, News, VoIP (SIP, H.323), IM (MSN, Yahoo, ICQ, etc.), Web Mail (Gmail, Hotmail, etc.), Telnet
  • Customizable alerts: pop-ups, e-mail notifications, SNMP traps, to name a few
  • Log file import in popular formats for post-capture forensic analysis: PAP, CommView, etc.

19. Kismet

Kismet may be a wireless network detector, sniffer, and intrusion detection system, Kismet works predominately with Wi-Fi networks; however, we will expand it via plug-ins to handle other network types.

Features include:
  • Standard PAP logging and multiple capture source support
  • Plug-in architecture to expand core features
  • Live export of packets to other tools via tun/tap virtual interfaces
  • XML output for integration with other tools

20. AIM Sniffer

AIM Sniffer may be a network utility to capture and log AEM (AOL Instant Messenger) chat from computers within an equivalent LAN. The tool supports messaging through AIM server and direct connection messaging. All intercepted messages are well organized by AIM user with buddies and shown instantly on the most window. It provides a features report system to export captured AIM conversations as HTML files for later analyzing and reference.

21. NetworkMiner

NetworkMiner may be a Network Forensic Analysis Tool for Windows/Linux/Mac OS X/FreeBSD used as a passive network sniffer/packet capturing tool so as to detect operating systems, sessions, hostnames, open ports, etc., without placing any traffic strain on the network. NetworkMiner also can parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

Questions related to this topic

  1. What is sniffing and spoofing?
  2. What is sniffing network communication?
  3. What is sniffing in cyber security?
  4. What protocols are most vulnerable to sniffing?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment