This blog was originally published on October 17th, 2007. It was published on TypePad and can be found here.

---

I am a little surprised by the up swell of my students interest in network sniffing. I covered a WireShark lesson in a previous post. WireShark is an excellent packet sniffer, but what do you do if you are in a switched environment?

The main difference between a switch and a hub, is that a hub broadcasts its traffic to all computers connected to that hub. A switch does not. A hub emulates a shared medium, such as the old 10-Base5 "thicknet" ethernet. In the old days, before cat 5 cabling , a single strand of coaxial cablle (cable TV cable) was run throughout a building or a floor and provided connectivity via "vampire clips" or "alligator clips". The clips would literally bite through the shielding on the coax, touch the center copper cable and sense and transmit MAC frames. Ethernet was a "shared medium". Which is a nice way to say that all computers had to play nicely or the wire would become jammed. The mechanism to prevent this is called Carrier Sense Multiple Access/Collision Detection (CSMA/CD).

Hubs were implemented to mimic the shared nature of the one coaxial wire. A hub re-broadcasts all traffic to all ports. A packet sniffer such as WireShark running on a hub will have access to all traffic sent to or from the hub. When WireShark is attached to a switch, it only has access to the broadcast and possibly multicast traffic. This is the significant benefit of a switched environment. Your data has a straight path to the computer you are sending it to. But, it is a detriment if you are trying to do network analysis or learn about networking protocols through packet sniffing.

Most modern day enterprise switches allow an administer to enable a port to repeat all switched traffic to that port. This would allow an administrator to run a packet sniffer on a computer attached to that port, and observe all the network traffic coming or going from that switch. This is all well and good, but it requires an enterprise switch. My home network is a pretty sophisticated fast gigabit network. All my machines are switched via Netgear GS108 switches. They are pretty sophisticated, but they are not enterprise grade. I cannot enable a port to act as a repeater on these switches. That would require a much more expensive switch.

Well what can you do? There are essentially two techniques. You can flood the switch with MAC addresses till it fails, and "fails open". Or you can broadcast your computer running the sniffer as the router for the network, and then intercept (perpetrate a man in the middle attack) packets and then transfer them on behalf of the sending computer. Software tools to implement both techniques are available from the Unix utility package dsniff. Both techniques can be used for nefarious and or positive purposes.

Network sniffing in my life has always been a tool to explore how computers communicate and how individual protocols work. I firmly believe that deconstructing an IP packet in WireShark is a far better learning experience than reading a packet diagram in a book. With that said, NEVER...NEVER EVER sniff at work. Network sniffing can be easily discovered by network administrators. Tools such as anti-sniff can be run on a network and will report any computers in "promiscuous mode". A computer network card that is sniffing is said to be in promiscuous mode, and a network card in promiscuous mode will take longer to reply than a normal network card. Based upon this, the network administrator would then be alerted to the sniffing, and you could face firing (if at work), expulsion(if at school), and even criminal charges. Only sniff the Internet's glue when at home...or somewhere you won't get caught.