Packet Sniffing Sniffing, spoofing and hijacking are considered advanced hacking activities in most networks. If you have in your possession the right tools, a good position and an understanding of the protocols involved, it can be accomplished and is extremely powerful. Checks and balances are so many between security, usability, design requirements and company policy that there is almost always an opening somewhere if the attacker can find it.

Administrators can no longer just run a sniffer for troubleshooting reasons as too much sensitive data is on the network. With network infrastructure changes, for example Layer 2 switching, sniffing has become more and more difficult.

However, sniffing is still a crucial part of research and being able to understand what attacks do. It is important to be able to stage attacks in an environment that would allow the researcher to analyze the traffic various tools can make even if sniffing is not part of the attack itself. Many tools incorporate an encryption layer to avoid this and any other IDS tools. This is why that, from a defensive viewpoint, it is important not only to mandate encryption for some things but forbid its use in others.

Countermeasures may not discourage attackers against sniffing. Spoofing, Man in the Middle and session hijacking are all possible work-around steps when sniffing is not possible.

How Sniffing Works

Passive Sniffing

Sniffers are also known as protocol analyzers, however its use will determine which label is applied. Some only collect or display while others can calculate statistical details will also providing reports. Reconstruction of captured traffic is another activity that is common. They can view the data as a complete Layer 7 file rather than a network conversation.

Sniffers themselves do not interact with the packets captured, it just displays the packets or collects them into files that are known as trace files and used for later analysis. The reasons for capturing traffic vary. Some examples are Trojan horse malware, troubleshooting tools and network forensics.

Passive sniffing tools are able to capture packets sent from or received by the network interface of the host it is running on. This usually doesn't require elevated permissions. Sniffing all traffic contained within a network segment however is more complex.

If the sniffer is running in the promiscuous mode, however, it must have sufficient privileges and the NIC must be able to see all of the network traffic.

In the promiscuous mode, the driver tells the nIC to ignore the first 48 bits of the Layer 2 frame header; this is where the hardware address of the NIC resides.

On wired network NICs, the promiscuous mode driver comes in two types, the WinPcap for Windows and the LibPcap for Linux. Each of these are installed with sniffing software such as Wireshark but can also be downloaded and installed separately. Wireless networks have the equivalent concept that is called Monitor Mode. Most wireless NICs have either the monitor mode capability disabled in the firmware or require specific drivers for that particular wireless device.

All network packets will be visible if the NIC on the host is accessing the network through a hub-like device at the physical layer (Layer 1). However, most of today's networks use Layer 2 switching in order to reduce collision segments and manage traffic with greater efficiency. If this is the case, active sniffing techniques will be required. Wireless networks are basically working on physical hubs and signal leakage does not mean that the attacker has to be plugged into the device. This is the primary reason manufactures make it hard to access the monitor ode capabilities of their wireless devices.

Active Sniffing

When the host attempting to capture traffic cannot see all of the packets, active sniffing must be used. Some techniques are used by attackers to capture packets under these circumstances. Because these techniques are active, they will create noise and the attackers will be most successful if they know who their targets are in advance and do not try to sniff everything. There are three techniques commonly used:

  • ARP Poisoning
  • MAC Flooding
  • MAC Duplicating (Spoofing)

ARP Poisoning - This form of attack happens when an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer's ARP cache with a forged ARP request and reply packets. This modifies the layer where the Ethernet MAC address is changed into the hacker's known MAC address with the intent to monitor it. ARP replies are forged and therefore the target computer unintentionally sends the frames to the hacker's computer first instead of sending it to the original destination. The result is both the user's data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user.

MAC Flooding - Most switches learn about what NICs are connected to the interfaces. This information is stored in a Content Addressable Memory (CAM) table. There is a limited amount of space for this information and if the attacker floods the switch with enough ARP traffic causing it to fill the CAM table, the switch will go to a fail-safe mode or enter a "hub mode" passing all traffic. This is the result of the switch being unable to learn about new hardware addresses and still not wanting to bring the network down.

There is a counter-measure for MAC Flooding and that is to configure port security on the switch. This can be done by limiting the number of addresses it can learn on each interface or by how much memory each interface is allowed to use.

MAC Duplicating (Spoofing) - To spoof the address, an attacker will configure their NIC to have the same address as another NIC on the network. It is possible to have two hosts with the same MAC address on a local network. The layers above Layer 2 don't notice this and the switch might forward frames out every interface that has a MAC address there.

Some hardware, such as Wireless Access Points (WAPs) are configured with an Access Control List (ACL) that allows only hosts with certain MAC addresses to connect. An attacker can sniff these MAC addresses from clear text management frames and learn what addresses are allowed and can be spoofed and thus allow access to the network.

Packet Capturing Tools

There are four common tools used to capture packets. These are:

  • Command Line Tools
  • Capture Filters
  • Graphic Tools
  • Display Filters

Command Line Tools

There are a few primary command line tools used for packet capturing. There is tcpdump, which was named Windump for Windows, tshark for Wireshark. There are special purpose sniffers in the dsniff suite such as mailsnarf and urlsnarf. These look for specific data only.

The packets that are obtained can be dumped into files and opened by the tools that provide a graphic interface later. Another reason for the use of command line sniffers is that there is less overhead and this can mean a more accurate packet capture.

Capture Filters

Capture filters are a good choice for when you be specific about what you want to detect and capture as the can tell the sniffer what to pick up and what to ignore. The benefits hers is that you won't be getting data you are not supposed to have, data that might be harmful or data that is just not interesting. There is a downside though and that is if your filter is not quite right, you could miss some data that is important.

The syntax for capture filters is tcpdump. Most capture rules can be read like an English sentence which make the data easy to understand.

There are three elements that make up capture rules. They are the Operator, the Keywords and the Variable Data.


Operator Symbol Meaning
is = = when equal to
and & all of these things
or | any of these things
not ! other than this
gt > greater than
lt < less than


Keyword Meaning
host the target object
net the network ID
src source
dst destination
port port
TCP Transmission Control Protocol
ether Ethernet
IP Internet Protocol
broadcast Traffic sent to all

Variable Data (examples)

Variable Data Meaning host IP address network ID
0x42 The value 42 in HEX.
0x56524659 The HEX equivalent of the string VRFY.
[0:2] byte offset, start at byte 0 then look at byte 2

Graphic Tools used for Packet Analysis

There are many Packet Analysis tools on the market but Wireshark is the premier protocol analyzer that is free of cost to use. Wireshark runs the same way on either the Windows or Linux platforms.

With Wireshark you can draw graphics and diagrams as well as assist creating a report that displays statistical analyses of network bandwidth. Wireshark also allows you to right-click on a TCP packet and then chose "Follow TCP Stream". This will rebuild an entire Layer 7 protocol session.

Exploiting Vulnerable Protocols

Protocols Vulnerable to Sniffing

There are many protocols that send critical information across the network in clear text. Some of these protocols that send credentials in plain text include:

  • HTTP
  • SNAP (Community String)
  • NNTP
  • POP
  • FTP
  • IMAP

Many of these protocols have now been replaced or updated with more secure options. If administrators require the use of older versions, they might set up encrypted tunnels such as Secure Shell (SSH) to protect them.

To avoid detection, it is best to use a "receive only" cable to connect to the host on the network. This solves the Layer 1 problem by removing the physical ability for he sniffer to reply to scans. Here is an example.

  • Sniffer
  • IP:

A scanner sends traffic to an IP address of but spoofs the target MAC address as something random like A4:FE:65:D5:1F:6D. The NIC should ignore the frame because it is incorrect, however in promiscuous mode, this fact will be ignored and the packet will be passed up to Layer 3. Since the logical address, (MAC) does not match, the network software in the OS protocol stack will accept the packet and process it. If a higher layer has a way to disagree with the bits and respond, there will be a response and the sniffer is detected.

How Session Hijacking Works

Session Hijacking Session hijacking takes place when the trust of two host, services or accounts is compromised by an attacker who is known as the Man-In-The-Middle (MiTM)

Session hijacking can happen in multiple ways. There are web-based hijacks, wireless AP hijacks, also known as an evil twin attack and TCP session based hijacks. The principle is the same in all attacks and that is to attack the lower layers on the OSI model than the actual session is occurring on. As an example, in a TCP attack, the idea is to let Layers 5 to 7 establish trust and then take the Layer 4 socket.

The Difference Between Spoofing, MiTM and Hijacking

Spoofing is a technique that is useful in social engineering. It is the basic art of pretending to be something else. There is a problem with spoofing, however, and that is the receiving host will reply to the party that seemed to have sent the data. In this case, the masquerading party has to become that party or be able to eavesdrop into the conversation. Although there are uses for spoofing, it is more often a component in an attack rather than the only technique used.

Man in the Middle Man-In-The-Middle (MiTM) attacks also involve social engineering. The goal of the attacker is to be transparent but still be able to send and accept traffic to and from the true endpoints of the communication. This is similar as using a courier to deliver a package for you; basically the same principle, however an attacker must do this without target knowing about this.

True session hijacking s the ultimate example of a combination of techniques that can completely take over an established session after the authentication phase has completed.

Illustrated by using a TCP session hijack, we can demonstrate the sequence of events that take place.

Tracking the Connection - The targets of the attackers must be identified and the characteristics of their connections must be observed. The attackers must predict the sequence numbers and window sizes that will allow the attacker to construct packets in advance of the attack. These constructed packets will then be injected at the right time.

Desynchronizing the Connection - Assuming the attacker wants to impersonate the target and the target is communicating with the server, the target needs to be knocked offline. If this step is not accomplished, the server will see echoes which will be traffic from both the target and the attacker. This will "confuse" the server causing it to drop the connection.

The target needs to be convinced that they are no longer to the server while leaving the server while the server is still expecting data. This can be done by different means.

  • Sending NULL data to the server spoofing the target's IP address as the source will cause it to expect traffic the real client is not prepared to send.
  • By using the SYN/ACK and FIN flags will make the server think it is at a different place in the conversation which is a place that the server knows but the target doesn't.

The target is in the Denial of Service state to keep it from trying to recover. The attacker will then attempt to sniff the traffic coming from the server since he is really not the destination of the traffic. This is done by the attacker spoofing the target's IP address.

Injecting the Attacker's Packet - At this point the packets can be injected in the form of disruptive data that will be trusted or commands sent that will cause the conversation to continue.

Session Hijacking Types

There are four basic types of Session Hijacking. These types include:

  • TCP Hijacking
  • UDP Hijacking
  • RST Hijacking
  • Session Tokens

TCP Hijacking is an attack that involves having an accurate understanding of the current state of synchronization between two hosts. The handshake is observed and sequence number must be set in the injected packets to be accepted inside the current window.

After this form of attack was discovered, Request For Comment (RFC) 1948 was created to suggest that Initial Sequence Numbers (ISN) are not implemented every four microseconds as previously suggested in RFC 972, but rather should involve a Pseudo Random Number Generator (PRNG). This would impact the ability to predict the number.

RST Hijacking is a form of DoS attack where packets are injected into an established TCP stream that convinces one side that the other is confused and wants to terminate the conversation. The simplicity is to set the RST flag, set the ACK number so it is in the windows and spoof one side of the conversation.

UDP Hijacking does not involve any of the complexity of TCP. There are no flags or SEQ / ACK numbers that have to be kept track of and since the UDP protocol does not require the receiving host to even respond at all, let alone acknowledge that there is even a source port in which to respond, this makes the MiTM attack and Dos attack much easier.

Session Token or authentication is required whether or not an application uses TCP or UDP. With this, it may be possible for the attacker to capture the session token from the network or from a MiTM attack and then replay the token to the server.

HTTP is a stateless environment and session hijacking is based on the HTTP session token. The Cross-Site Request Forgery Attack (CSRF) is an example of a session hijack. The application tries to create a sense of "state" using unique strings that will be bounced back and forth. When trust is established, the abuse can begin by replaying a challenge or issuing commands that are trusted. This way the attacker can capture information via a proxy server or by stealing cookies.

Session Hijacking Countermeasures

Since the arrival of session hijacking, the TCP Protocol specification has received modifications making the sequence number prediction extremely difficult. The TCP Protocol has a 32 bit field making about 4.3 million possible values that can be chosen for the Initial Sequence Numbers (ISN). This would make the attacker have to sniff enough connections from a host to make a prediction of what an ISN would be in the future. Even with the use of a Pseudo-Random Number Generator (PRNG), this task would be extremely challenging.

Taking this again a step further, circuit level gateway firewalls by translating the ISN at the same time as the network address and ports are being translated during the initiation of an outbound connection by the host. This in effect makes it a Layer 4 proxy server. The circuit level gateway is a man-in-the-middle attack but does not interfere with Layer 7 data.

Internet Protocol Security (IPSec) uses an integrity check that will not accept forged packets. Between these countermeasures, session hijacking treats are well mitigated but the presence of the idea is important both from an academic standpoint and to illustrate the importance of maintaining such countermeasures.

There are other forms of session hijacking are more difficult to prevent. Session hijacks based on HTTP session IDs must not be sniffed, guessed or predicted. This involves the use of SSL and random number generation for the token. Wireless evil-twin attacks are prevented with the use of WPA-Enterprise or plain physical situational awareness.