Sniffing Packets on a Network

Traffic sent from your computer to another is broken up into small chunks (typically around 1,500 bytes each) called packets; when the packets reach their destination, they are reassembled back into a whole. Each packet consists of headers and data. The data is the information being sent, while the headers help get the packet from its source to its destination.

To understand packets sent over the Internet, think of an onion. Start with the data at the center. Wrapped around the data is the Ethernet header, which contains the MAC addresses of the source and destination. Wrapped around that is the Internet Protocol (IP) information, which consists of a lot of data, but most importantly the IP addresses of the source and destination.

Wrapped around the IP layer is the Transmission Control Protocol (TCP) information, which possesses the source and destination ports and the sequence numbers of the packets. That may be the outside of the onion, unless an application of some sort, such as a Web browser or an email program or an IM app, is involved. In those instances, the TCP layer is wrapped in an application layer — such as HTTP, POP3, or AIM — which performs services needed by those applications. And that, usually, is the final layer of the onion.

What do sniffing programs do? Basically, they enable you to see all the traffic on your network, whether it is intended for your machine or not (there is a caveat to that statement, coming up soon). All the packets rushing by and all the various layers that make up those packets — network protocol analyzers such as Ethereal show it all.

Why would you want to do that? Why in the world would you want to know the details of all the traffic going across the network to which you're currently attached? Well, there's the bad guy reason — to grab non-encrypted passwords and data — and the good guy reasons:

• To learn more about network protocols

• To figure out just what the heck is wrong with that %#$&! Samba connection (or NFS, or email, or what have you)

• To audit an organization's network to expose security holes (such as really bad, unencrypted passwords, or folks who aren't using encryption when they're supposed to)

No matter what the reason, you'll find a lot of reasons to use Ethereal, not least of which is that it's really fun.

Analyzing Network Traffic with Ethereal

Ethereal has been available for general use since 1998, and in the few years it's been out, it has become one of the premier open-source security tools. It is both powerful and easy to use for basic needs, so including it on Knoppix was a no-brainer. It's also a program that rewards careful study: The more you learn, the more you can do, and the more you will learn — about your network, about networking, and about security.

To get the most from Ethereal, you need to run it as root. Unfortunately, if you try to open Ethereal as root in Knoppix, you are prompted for a root password that doesn't exist. There are two ways around this issue (actually, there are a lot more than that, but these two should do it for you):

• Set the root password. Just open your command line by going to the K menu and selecting System → Konsole. When it opens, enter sudo passwd, type in the new root password twice, and press Enter. That's it. The password for root is now changed. When you run Ethereal, you are prompted to enter root's password, which you just created.

• Right-click the K menu and select Menu Editor to open the KDE Menu Editor. Click the + next to Internet to expand it, and then select Ethereal (as root) with a single click. You should now be able to edit the data about this item on the right side of the KDE Menu Editor. Next to the Command field, edit the command to read like the following:

   sudo gksu -u root /usr/bin/ethereal 

  Further down, uncheck Run as a Different User. Close the KDE Menu Editor. Save your changes and wait while they are made permanent. Now you can run Ethereal as root without having to create a root password.

Open Ethereal by going to the K menu and selecting Internet → Ethereal (as root). The program opens with a screen similar to the one shown in Figure 6-6.

Figure 6-6: Ethereal doesn't do much when it first opens … but just wait.

Setting Caption Options

When you first open Ethereal, it seems like you have a lot of options — and you do! — yet getting started isn't that difficult. To begin the process of capturing packets, choose Capture → Start, which opens Ethereal's Capture Options window (see Figure 6-7).

Figure 6-7: Choose what you want to capture with Ethereal.

This is a very important window because it determines which packets Ethereal is going to gather. The Interface box should contain the NIC that is connected to the network. If you have only one, it's chosen; if you're using two NICs, select the one you want Ethereal to use.

To grab every packet on the network, even those not bound for your machine, leave Capture Packets in Promiscuous Mode checked. To see only information entering and leaving your specific machine, uncheck this box.

Because this is your first time using Ethereal and because this isn't a life-or-death situation, check Update List of Packets in Real Time, and, once that's enabled, check Automatic Scrolling in Live Capture. With those two options on, Ethereal shows you the packets it is snarfing as it snarfs them. It's too much information to be useful while it's going on, but it sure looks cool, and it gives you an idea about just how busy your network really is.

Understanding the Capture

Now that you've told Ethereal what to capture, click OK. The main Ethereal window fills up with data, and a smaller window titled something like "Capture from eth0" (see Figure 6-8) shows you the aggregate of Ethereal's progress, broken down by protocol.

Figure 6-8: Ethereal at work

Not surprising, TCP is responsible for the lion's share of traffic because most folks cruise around to Web pages and open their email programs. After a couple of minutes, click Stop so that you can examine what's been traveling about the network. The capture window closes, leaving you with the main Ethereal window, now chock-a-block with data, as Figure 6-9 shows.

Figure 6-9: Ethereal has captured plenty of data for analysis.

The three panes of data, from the top down, are as follows:

• Packet List pane: Contains a list of every packet captured and key data about it. When you select a packet in this pane, information about it is displayed in the middle and bottom panes.

• Packet Details pane: Breaks the packet you selected in the Packet List pane into its component parts, including headers and data. Each item can be expanded to show further detail by clicking the small triangle to the left of each field. When you select a component in this pane, the corresponding information is highlighted in the bottom pane.

• Packet Bytes pane: Displays the actual information sent in the packet. If an item in the middle pane is chosen, the specific information in the bottom pane is highlighted to make it easy to find and read. Conversely, choosing a snippet of data in the bottom pane highlights the specific protocol in the middle pane.

The packet selected in Figure 6-9 shows what happened when I loaded Gmail. You can see that the browser (at 192.168.2.11 in the Source column) sent an HTTP GET request to Google's server (at 64.233.179.106 in the Destination column) in the Packet List pane.

The Packet Details pane shows that the packet consisted of an Ethernet header, an IP header, a TCP header, and HTTP data.

Finally, the Packet Bytes pane reveals the entire packet in a (mostly) comprehensible format. The first column of the Packet Bytes pane shows the offset in the data, the second column shows the data in hexadecimal format, while the third column shows the data in human-readable ASCII format (just because it's human-readable doesn't mean that you'll understand it, though!).

Filtering the Capture

Things get really interesting when you start filtering the mass of data that Ethereal captures. For instance, suppose you want to determine whether anyone on your network is trying to log in to his email using a username and password sent in the clear (Bad user! Bad!). To find out, you want to create a display filter that limits in some way the packets that Ethereal shows you (these are not the same as capture filters, which control the packets that Ethereal gathers in the first place). Click the Expression button in the filter toolbar near the top of the window; Ethereal's Filter Expression window (see Figure 6-10) opens.

Figure 6-10: Create a display filter for Ethereal.

Among the enormous list of possible protocols on the left side of the window, select the one in which you're interested: IMAP. For Relation, choose "contains," and in the Value (protocol) text box (which is active for every Relation except "is present") enter LOGIN — that's what IMAP servers expect when a user is trying to authenticate to the server. Now that your filter exists, click OK to go back to the main Ethereal window, where only the filtered results are displayed, as shown in Figure 6-11.

Figure 6-11: Clear-text email login and password (blacked out in this figure) are available to nearly everyone. Oops.

Ethereal displays the filter you created in its own syntax: imap contains LOGIN (filters are case insensitive). Below that are three packets out of hundreds, and one of those three is dynamite. The third packet — the one that's highlighted — contains the user's name and password, in clear text and easy to read (blacked out here to protect the bad user). Yes, it's that easy.

And it gets easier. When you find a packet that looks interesting, right-click it and select Follow TCP Stream. Ethereal gathers all the packets that are part of that email message, or login sequence, or whatever; joins them together; and then shows you the ASCII text. Try it with one of your own email messages, and prepare to be amazed.

Here are some other display filters you can use. Just remove the current filter, enter one of the following, and click Apply:

• aim && !(aim.channel == 0x5): Look for AOL Instant Messenger traffic, but without the annoying Keep Alive packets that appear constantly.

• (http contains "hotmail") && (http contains "Reply-To"): Find emails sent using Hotmail.

• (tcp.port eq 110 and tcp.port eq 3457) && (tcp contains PASS) : Find out usernames and passwords sent when folks try to log in to get their POP3 email.

Protecting with Encryption

How do you protect against Ethereal? It's pretty simple, really. Use encryption. That means SSL whenever you have to log in to any Website that needs a username and password, and SSL for any email clients. For the contents of email, use GPG (discussed earlier in this chapter).

Want to scare a friend or family member straight and show her the value of good security? Use Ethereal for a while when she's using the Net to surf and read emails, and then show her what you learned. I have the feeling she'll be a lot more receptive to a simple discussion about the benefits of SSL and encrypted POP3 or IMAP. In that way alone, you can use Ethereal to make everyone safer.