Ethernet sniffers are one of the most powerful tools in your network security arsenal. However, in the wrong hands they can be one of the biggest threats to the security of your network. It may be an insider or it could be a malicious intruder, but, nevertheless, once a system has been detected they will most likely begin sniffing the local network. This network reconnaissance will help these “spies” find their next target, or simply collect juicy bits of information (such as usernames and passwords, email, or other sensitive data).
Not too long ago, it was commonly thought that only shared-medium Ethernet networks were vulnerable to being sniffed. These networks employed a central hub, which would rebroadcast every transmitted packet to each port on the hub. In this type of setup, every frame sent by any network node is received by every other node on the local network segment. Each node’s network interface then performs a quick check to see if it is the node that the frame is destined for. If it is not, the frame is discarded. If it is, the frame is passed up through the operating system’s protocol stack and is eventually processed by an application. Because of this, sniffing other systems’ traffic on the network was trivial. After all, since all the traffic was reaching each system, one only needed to disable the check that the network interface performs, and the system would have access to the traffic meant for others. This is usually referred to as putting the network interface into promiscuous mode, which usually can be done only by a privileged user.
Eventually, switched Ethernet networks became prevalent and the shared-medium aspect no longer applied. Thus, the main facilitator of sniffing was removed. Unlike hubs, Ethernet switches will only send traffic to the device that it is destined for. To do this, an Ethernet switch learns which network device’s MAC address corresponds to what port on the switch as traffic passes through the switch. When the switch sees an Ethernet frame with a certain destination MAC address, it will look up which port on the switch corresponds to it and forward the frame to only that port. In doing this, the switch effectively creates a virtual dedicated connection from the sending station to the receiving station every time an Ethernet frame is transmitted on the network. Thus, only the machine that the frame was originally intended for is able to see it. This would be fine, but certain aspects of the Ethernet specification and the TCP/IP can cause problems.
One problem is that switches can memorize only a limited number of MAC addresses. The maximum number will often be several orders of magnitude higher than the number of ports that the switch has, which allows switches to be connected to each other hierarchically. In order to do this efficiently, each switch must memorize the MAC addresses available on the switches to which it is connected. For example, suppose you have a 24-port switch (switch A) with 23 machines plugged into it, and the 24th port is occupied by another switch. This other switch (switch B) has 48 ports, with the 47 other ports being occupied by machines. In this situation, switch A will learn the MAC addresses of the 47 systems on switch B and associate it with its 24th port, and switch B will learn the MAC addresses of the 23 systems connected directly to switch A and associate it with its own 48th port. Even though the average switch can memorize upwards of several thousand MAC addresses, it is still possible to overflow the switch’s MAC address table by generating large amounts of traffic with fake MAC addresses. This tactic is desirable for a malicious user because many switches will revert to behaving like a hub once their MAC address tables have been filled. Once this happens, the network is no different than a shared-medium segment using a hub. A malicious user will then be able to sniff the network by simply putting her network interface into promiscuous mode.
