Packet Sniffing

Packet sniffing is the process of capturing, analyzing, and inspecting network packets to monitor data transmission. It is commonly used in cybersecurity to observe network behavior, discover vulnerabilities, and in some cases, extract sensitive information.

How does packet sniffing work?

Normally, a network interface card (NIC) only receives packets intended for it. In sniffing, we put the NIC into "promiscuous mode" to capture all packets flowing through the network segment, regardless of destination.

Popular tools for sniffing:

• Wireshark – A powerful GUI-based packet analyzer.
• tcpdump – A command-line tool for real-time packet capture.
• Scapy – A Python library to manipulate and sniff packets.
• Bettercap – A modern, MITM-capable network sniffer and attacker tool.

Useful tcpdump commands:

sudo tcpdump -i eth0

sudo tcpdump -i wlan0 port 80

sudo tcpdump -A -i eth0 'tcp and port 443'

Sniffing with Wireshark:

• Select the correct interface.
• Click "Start Capture".
• Apply filters like http, tcp.port == 21, or ip.addr == 192.168.1.5.

Sniffing in MITM attacks:

After performing ARP spoofing, the attacker can act as a bridge and sniff all traffic passing between the victim and the router.

sudo bettercap -iface wlan0

net.probe on

net.sniff on

Dangers of packet sniffing:

• Interception of passwords and login data.
• Session hijacking.
• Exposure of personal or financial information.

How to protect against sniffing:

• Always use encrypted protocols (HTTPS, SSH).
• Use strong wireless encryption (WPA3).
• Implement VPNs to secure communication.
• Use network monitoring tools to detect unusual sniffing behavior.

Summary:

Packet sniffing is a double-edged sword. For attackers, it's a powerful reconnaissance tool. For defenders, it's essential for monitoring, troubleshooting, and detecting anomalies. Mastering sniffing techniques helps in both offense and defense in cybersecurity.