think of packet sniffing as a wiretap on your computer; it is a process that takes all of the data that flows across a sub-network and places the results in a readable, understandable format. here we will learn how to (not) mind our own business. there are a few things you need to know, however, to make sense of the results.
the first concept that needs to be understood when it comes to packet sniffing is that you can only read the packets within the immediate network; that is, all computers on the same hub, or a similar piece of equipment. sniffers do not work when trying to read packets across the internet; if there's a firewall, router, or anything else in the way between you and the far end host you are trying to read data from, forget about it.
so what actually happens during this process? when you read data from the network you are analyzing, your sniffing software begins by putting your nic (network interface card) in what is called "promiscuous" mode. the term, by itself, lets you know what is happening. what this basically boils down to is that your computer is in everyone else's business, even if everyone else doesn't intend for it to be. once your network connection is reading everything coming and going, the sniffer software then begins collecting and storing this information, packet by packet. after collection is stopped, by you (yes, you have to do something!), the analyzing process begins.
for this example, packet analyzing will be done using some third party software called "ethereal," as windows does not have a built-in sniffer. ethereal is quickly becoming the most popular sniffer freeware. ah, the magic word, free. ethereal will break all of your packets down into each of their corresponding osi (open systems interconnection) layers. osi layers make it so different computers and technologies can speak the same language to each other on a layered scope. the 7 layers are physical, data link, network, transport, session, presentation, and application. if you aren't familiar with the 7 osi layers, now might be a good time to check them out (on the net). you will definitely further your understanding of packet sniffing, and will increase your "1337-ness" across the board if you do so. for the scope of this book, we won't go into how to set up ethereal, but it is very straightforward and self explanatory. you can grab the program here: http://www.ethereal.com/
run during a telnet session from address 192.168.1.101 to 192.168.1.20: the sniffer data will show a broadcast from the source computer to the rest of the network, asking, "where is the destination 192.168.1.20?" and also, "tell the answer to 192.168.1.101." the source computer then gets a response stating that 192.168.1.20 can be reached by going to the mac (media access control) address 08:00:20:9f:8d:52. think of a mac address as similar to an ip, except that it is the address given to your network adapter at the time of manufacturing (it can also be referred to as a hardware or physical address). now that the source knows where to go, it telnets to the destination as shown above from the telnet packets. the middle window will break down the information from each layer into a readable format, and the bottom window is a hex representation.
sniffer data is used by information technology professionals as well as the hacking community alike because it is a great tool in determining what exactly is happening in a target network's environment. network administrators may use this data to find a machine on their network that is flooding packets into the subnet, which is perhaps causing some latency. hackers may use such a tool to sniff passwords that may be sent in the clear and other data of a sensitive nature which may be used as a vulnerability, or even just intellectual knowledge.
the limitation of a sniffer being used on a local basis can be overcome with distributed sniffer software. this software allows network personnel to remotely analyze data by making a connection to the host machine gathering the data. one major implementation of this is the carnivore program that the fbi uses to monitor e-mail traffic inside of an internet service provider's network, but there are certainly a few other commercial implementations available. again, a malicious user may facilitate such a mechanism by installing a trojan horse (or worm) on one of the target network's connected machines, and later analyze the data.
so what is next? sniffers are commonly used on college networks. the best setting to experiment with sniffer software in a safe environment by far would have to be a lan party, where you have a lot of your 1337 buddies present and hooked into a common network. of course, this means you can't play the chosen multi-player game while you are doing this, and it would probably be a good idea to slack off on the cheesy poofs too, but one must make certain sacrifices in the name of elitism. something fun to try would be to run your sniffer software during a group game, irc session, or even while one of your friends is talking to their girlfriend on an instant messenger program, only later to find out it's really his mom asking if he has taken his decongestant. you will definitely coo (yes, coo) in amazement over the power that the sniffer software has.