|
|
| Previous | Table of Contents | Next |
The broadcast nature of shared media networks affects network performance and reliability so greatly that networking professionals use a network analyzer, or “sniffer,” to troubleshoot problems. A sniffer puts a network interface in promiscuous mode so that the sniffer can monitor each data packet on the network segment. In the hands of an experienced system administrator, a sniffer is an invaluable aid in determining why a network is behaving (or misbehaving) the way it is. With an analyzer, you can determine how much of the traffic is due to which network protocols, which hosts are the source of most of the traffic, which hosts are the destination of most of the traffic, the elapsed or absolute time when a packet was sent, and the time between packets. You can also examine data traveling between a particular pair of hosts and categorize it by protocol and store it for later analysis offline. With a sufficiently powerful CPU, you can also do the analysis in real time. Some analyzers have a graphic, real-time display of performance, net work utilization, and errors.
Network analyzers range in price from free to thousands of dollars. At the high end of the commercial market there are sophisticated hand-held devices—not to be confused with mere cable testers—and specialized hardware to find errors that ordinary network interfaces are not designed to detect. You will also pay more for time-saving features such as full packet decoding for proprietary protocols. When you examine the analyzers in the mid-range of the commercial market, you notice that some are nothing more than portable computers with Ethernet cards and some special software. The only item that differentiates these analyzers from an ordinary computer is the software. Indeed, at least one major networking vendor has withdrawn from the hardware network analyzer market in order to focus on making better analyzer software that works with any Windows PC and a broad range of commodity Ethernet cards. It is also easy to download shareware and freeware sniffing software from the Internet or various bulletin board systems. The ease of access to sniffing software is great for network administrators because this type of software helps them become better network troubleshooters. However, the availability of this software also means that malicious computer users with access to a network can capture all the data flowing through the network. The sniffer can capture all the data for a short period of time or selected portions of the data for a fairly long period of time. Eventually, the malicious user will run out of space to store the data. For example, the Ethernet LAN in my building at work often has 10,000 packets per second flowing on it. Without using address and protocol filters judiciously, the packet traces will consume all the system’s memory in a few minutes.
Note: Esniff.c is a simple 500-line C language program that works on SunOS 4.x. When run by the root user on a Sun workstation, Esniff captures the first 300 bytes of each TCP/IP connection on the local network. It is quite effective at capturing all user-names and passwords entered by users for Telnet, rlogin, and FTP. The source code is included in the alt.2600 FAQ available at ftp://rtfm.mit.edu/pub/usenet-by-group/alt.2600.TCPDump is a common, more sophisticated, and more portable Unix sniffing program written by Van Jacobson, a famous developer of high-quality TCP/IP software. It uses the libpcap library for portably interfacing with promiscuous mode network interfaces. The most recent version is available at ftp://ftp.ee.lbl.gov/tcpdump.tar.Z. It requires libpcap: ftp://ftp.ee.lbl.gov/libpcap.tar.Z.
NetMan contains a more sophisticated, portable Unix sniffer in several programs in its network management suite. The latest version of NetMan is available at ftp://ftp.cs.curtin.edu.au/pub/netman.
EthDump and EthLoad are sniffers that run under DOS and can be obtained from ftp://ftp.germany.eu.net/pub/networking/inet/ethernet/.
Warning: On some Unix systems, TCPDump comes bundled with the vendor OS. When run by an ordinary, unprivileged user, it does not put the network interface into promiscuous mode. With this command available, a user can only see data being sent to the Unix host, but is not limited to seeing data sent to processes owned by the user. Systems administrators concerned about sniffing should remove user execution privileges from this program.
Sniffing data from the network leads to leakage of several kinds of information that should be kept secret for a computer network to be secure. These kinds of information include the following:
The following subsections are intended to provide examples of these kinds.
Sniffing Passwords
A prevalent computer security problem today is poor password management. Typical users type a password at least once a day to gain access to confidential or sensitive data. Users must be trained to be very careful about guarding their password by not sharing it with anyone and not writing it down anywhere, for example, a sticky note on their monitor. Users also need guidance in selecting good passwords and when to change them. User training should also include watching out for “shoulder surfers” who will watch your fingers as you type your password or “social engineers” who can smoothly persuade you to disclose passwords or other sensitive information. Good security awareness is certainly important, but any such policies and training are severely undermined by the legacy systems and protocols that transmit passwords in the clear over the Internet. Passwords are used not only to authenticate users for access to the files they keep in their private accounts but other passwords are often employed within database systems. When the user types any of these passwords, the system does not echo them to the computer screen to ensure that no one will see them. After jealously guarding these passwords and having the computer system reinforce the notion that they are private, a system that sends each character in a password across the network is easily seen by any Ethernet sniffer. End users do not realize just how easily these passwords can be found by someone using a simple and common piece of software.
| Previous | Table of Contents | Next |