Packet sniffing is the practice of gathering, collecting, and logging some or all packets that pass through a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis. You as a network administrators can use the collected data for a wide variety of purposes like monitoring bandwidth and traffic.
A packet sniffer, sometimes called a packet analyzer, is composed of two main parts. First, a network adapter that connects the sniffer to the existing network. Second, software that provides a way to log, see, or analyze the data collected by the device.
A network is a collection of nodes, such as personal computers, servers, and networking hardware that are connected. The network connection allows data to be transferred between these devices. The connections can be physical with cables, or wireless with radio signals. Networks can also be a combination of both types.
As nodes send data across the network, each transmission is broken down into smaller pieces called packets. The defined length and shape allows the data packets to be checked for completeness and usability. Because a network’s infrastructure is common to many nodes, packets destined for different nodes will pass through numerous other nodes on the way to their destination. To ensure data is not mixed up, each packet is assigned an address that represents the intended destination of that packet.
A packet’s address is examined by each network adapter and connected device to determine what node the packet is destined for. Under normal operating conditions, if a node sees a packet that is not addressed to it, the node ignores that packet and its data.
Packet sniffing ignores this standard practice and collects all, or some of the packets, regardless of how they are addressed.
There are two main types of packet sniffers:
- Hardware Packet Sniffers
A hardware packet sniffer is designed to be plugged into a network and to examine it. A hardware packet sniffer is particularly useful when attempting to see traffic of a specific network segment. By plugging directly into the physical network at the appropriate location, a hardware packet sniffer can ensure that no packets are lost due to filtering, routing, or other deliberate or inadvertent causes. A hardware packet sniffer either stores the collected packets or forwards them on to a collector that logs the data collected by the hardware packet sniffer for further analysis.
- Software Packet Sniffers
Most packet sniffers these days are of the software variety. While any network interface attached to a network can receive every bit of network traffic that flows by, most are configured not to do so. A software packet sniffer changes this configuration so that the network interface passes all network traffic up the stack. This configuration is known as promiscuous mode for most network adapters. Once in promiscuous mode, the functionality of a packet sniffer becomes a matter of separating, reassembling, and logging all software packets that pass the interface, regardless of their destination addresses. Software packet sniffers collect all the traffic that flows through the physical network interface. That traffic is then logged and used according to the packet sniffing requirements of the software.
Capturing data on an entire network may take multiple packet sniffers. Because each collector can only collect the network traffic that is received by the network adapter, it may not be able to see traffic that exists on the other side of routers or switches. On wireless networks, most adapters are capable of connecting to only one channel at a time. In order to capture data on multiple network segments, or multiple wireless channels, a packet sniffer is needed on each segment of the network. Most network monitoring solutions provide packet sniffing as one of the functions of their monitoring agents.
Packet Sniffing allows you to monitor your network traffic and gives you valuable insights about your infrastructure and performance.
How much traffic flows through your network? Which applications use most bandwidth? Find out with the professional Network Monitoring Tool PRTG!
- Unlimited version of PRTG for 30 days
- After 30 days, PRTG reverts to a free version
- Or, you can upgrade to a paid license anytime
Packet sniffing collects the entire packet of each network transmission. Packets that are not encrypted can be reassembled and read in their entirety. For example, intercepted packets from a user accessing a website would include the HTML and CSS of the web pages. Most notoriously, users logging in to network resources across unencrypted transmissions expose their username and password as plain text that can be seen in captured packets.
Packet sniffing has many practical uses. Typically, packet sniffing is used for network troubleshooting. Packets detected on a network they are not supposed to be in might suggest improper routing or switching. Packets marked for ports that do not match their protocol might also suggest a misconfiguration of one or more nodes. You can also analyze traffic and the responses received for requests. Does the node query the correct DHCP server? Does the correct DNS request get routed to the correct location? Is traffic encrypted with SSL or HTTPS when it should be, or are unencrypted responses being sent? Is the routing path taken by the packet the most efficient route to its final destination?
Packets can also be analyzed to see if a specific application is using too much bandwidth or if authentication is requiring numerous back-and-forth calls. Based on the data provided, you might upgrade communications, or troubleshoot applications to enhance the software performance.
You may use packet sniffing to monitor consumption trends on a network. Analysis of collected packets may show that a large amount of traffic is being used by a certain in-house application, or video transmissions. Also, a decline in traffic may suggest that specific resources are being used less.
Packet sniffing may be useful in increasing network security. When monitoring traffic for clear-text usernames and passwords, for example, you could notice possible security issues before any hacker. In addition, monitoring remote traffic can help ensure that all traffic is properly encrypted and not being sent out onto the open internet without encryption.
Messages within MQTT are published as topics. Topics are structures in a hierarchy using the slash (/) character as delimiter. This structure resembles that of a directory tree on a computer file system. A structure such as sensors/OilandGas/Pressure/ allows a subscriber to specify that it should only be sent data from clients that publish to the Pressure topic, or for a broader view, perhaps all data from clients that publish to any sensors/OilandGas topic. Topics are not explicitly created in MQTT. If a broker receives data published to a topic that does not currently exist, the topic is simply created, and clients may subscribe to the new topic.