What is a Packet Sniffer
Sniffing, in normal language means sensing something and here too it has the same meaning. Data flows through the network lines just like oxygen through air, pulling out critical data packets from these networks is called packet sniffing. This data may contain usernames or passwords, sent and received emails or it can be any data that flows through the network.
The sniffer program tells a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, a status that requires administrative or root privileges, a machine can see all the data transmitted on its segment. The program then begins a constant read of all information entering the PC via the network card.
Data travelling along the network comes as frames, or packets, bursts of bits formatted to specific protocols.
Because of this strict formatting, a sniffer can peel away the layers of encapsulation and decode the relevant information stored within: source computer, destination computer, targeted port number, payload, in short – every piece of information exchanged between two computers.
A packet sniffer can only capture packet information within a given subnet. So, it is not possible for a malicious attacker to place a packet sniffer on their home ISP network and capture network traffic from inside any corporate network. In order to do so, the packet sniffer needs to be running on a computer that is inside the corporate network as well.
If one machine on the internal network becomes compromised through a Trojan or other security breach or vulnerability, the intruder could run a packet sniffer from that machine and use the captured username and password information to compromise other machines on the network. Detecting these types of packet sniffers is not an easy task as these packet sniffers simply captures the packets that are travelling through the network which it is monitoring. This eliminates the chances of any signature of some faulty activity performed by the sniffer and thus is not detected. There are ways to identify network interfaces on the network that are running in promiscuous mode though and this might be used as a means for locating dis honest packet sniffers and stop them immediately.