Sniffing
Welcome to the Sniffing module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.
Last updated
Welcome to the Sniffing module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.
Last updated
Packet sniffing is the practice of gathering, collecting, and logging some or all packets that pass thru a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis. You, as a network administrator, can use the collected data for a wide variety of purposes, like monitoring bandwidth and traffic.
A packet sniffer, sometimes called a packet analyzer, is composed of two main parts. First, a network adapter that connects the sniffer to the existing network. Second, software that provides a way to log, see, or analyze the data collected by the device.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named "Ethereal," the project was renamed "Wireshark" in May 2006 due to trademark issues.
I can't stress how much you need to learn Wireshark. Since this wireshark is very important from an exam point of view. So, please learn. You can Google stuff online. There are tons of video tutorials for Wireshark.
Best for incident response teams and for law enforcement.
NetworkMiner is a Network Forensic Analysis Tool by Netresec. It supports Windows, Mac, Linux, and FreeBSD. It has functionalities for passive network sniffing and packet capturing. It can detect operating systems, sessions, hostnames, open ports, etc. To perform the offline analysis and regenerate transmitted files & certificates from PCAP files, it can parse PCAP files.
Features:
By parsing a PCAP file and sniffing the traffic directly from the network, NetworkMiner can extract files, emails, and certificates transferred over the network.
NetworkMiner doesn’t put any traffic on the network while capturing packets or doing passive network sniffing.
With the Professional edition, you will get the features of DNS Whitelisting, Web browser tracing, online ad & tracker detection, etc.
Verdict: NetworkMiner is popular among organizations around the world. It has an intuitive user interface that provides the extracted artifacts and will make it easier to perform advanced Network Traffic Analysis. This data presentation in an intuitive UI that helps the analyst or forensic investigator with the analysis.
Ettercap supports active and passive dissection of many protocols (even encrypted ones) and includes many feature for network and host analysis.
Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.
Many sniffing modes are implemented, for a powerful and complete sniffing suite. It is possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).
Ettercap also has the ability to detect a switched LAN, and to use OS fingerprints (active or passive) to find the geometry of the LAN.
This package contains the Common support files, configuration files, plugins, and documentation. You must also install either ettercap-graphical or ettercap-text-only for the actual GUI-enabled or text-only ettercap executable, respectively.
Ettercap supports active and passive dissection of many protocols (even encrypted ones) and includes many feature for network and host analysis.
Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.
Many sniffing modes are implemented, for a powerful and complete sniffing suite. It is possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).
Ettercap also has the ability to detect a switched LAN, and to use OS fingerprints (active or passive) to find the geometry of the LAN.
This package contains the ettercap GUI-enabled executable.
