Let me answer, what sniffer usually cares about can be divided into the following categories: 1, password. I think this is the reason why most illegal sniffers are used. Sniffer can record userid and passwd transmitted in clear text. Even if you use encrypted data during network transmission, the data recorded by sniffer may make intruders eat meat at home and try to crack your algorithm. 2. Financial Accounts Many users feel comfortable when using their credit cards or cash accounts online. However, sniffer can easily intercept the user's name, password, credit card number, expiration date, account number and pin code. By intercepting data packets, intruders can easily record the transmission of sensitive information between others, or simply intercept the entire email conversation. 4. Spy on low-level protocol information. This is a terrible thing, I think, by recording the underlying information protocol, such as recording the network interface address between two hosts, the remote network interface ip address, ip routing information and the byte serial number of tcp connection. If this information is mastered by illegal intruders, it will do great harm to network security. Usually, someone uses sniffer to collect this information for only one reason: he is committing fraud (usually ip address fraud requires you to insert the byte sequence number of tcp connection accurately, which will be pointed out in a later article). If someone cares about this problem, sniffer is just a prelude to him, and the problems will be much bigger in the future. For advanced hackers, I think this is the only reason to use sniffer. Sniffer's working environment Sniffer is a device that can capture network messages. The correct use of sniffers is to analyze network traffic in order to find potential problems in related networks. For example, a certain network is not running well, and the message is sent slowly. We don't know what the problem is, so we can use sniffer to make an accurate judgment on the problem at this time. There are many differences in the function and design of sniffer. Some can only analyze one protocol, and some may analyze hundreds of protocols. Generally speaking, most sniffers can analyze at least the following protocols: 1. The standard Ethernet 2.TCP/IP3.IPX4.DECNet sniffer is usually a combination of software and hardware. Dedicated sniffers are very expensive. On the other hand, free sniffers don't cost much, but they don't get much support. The sniffer is different from the general keyboard capture program. Keyboard capture program captures the key values entered on the terminal, while sniffer captures the real network messages. The sniffer does this by placing the network card on the network interface-for example, setting the Ethernet card to miscellaneous mode. In order to understand the miscellaneous collection mode, first explain how the LAN works. Data is transmitted on the network in small units called Ftame. A framework consists of several parts, and different parts perform different functions. (For example, the first 12 bytes of Ethernet store the source address and destination address, which tell the source and destination of network data. Other parts of the Ethernet frame store actual user data, TCP/IP headers or IPX headers, etc. The frame is shaped by a special software called network driver, and then sent to the network line through the network card. Reach the destination machine through the network cable, and perform the opposite process at one end of the destination machine. The Ethernet card of the receiving machine captures these frames, tells the operating system of their arrival, and then stores them. It is in this process of transmission and reception that the sniffer will cause security problems. Each workstation on the LAN has its hardware address. These addresses uniquely represent the machines on the network (similar to the Internet address system). When users send messages, these messages will be sent to all available machines on the LAN. Under normal circumstances, all machines on the network can "listen" to the passing traffic, but will not respond to messages that do not belong to them (in other words, workstation A will not capture the data that belongs to workstation B, but just ignore them). If the network interface of the workstation is in miscellaneous receiving mode, it can capture all messages and frames on the network. If a workstation is configured in this way, it (including its software) is a sniffer. Possible harm caused by sniffer: 1. The sniffer can capture the password. 2. It can capture private or confidential information. 3. It can be used to endanger the security of network neighbors or gain a higher level of access rights. In fact, if you have an unauthorized sniffer on the network, you think your system has been exposed to others. (You can try the sniffing function of Skywalker 2) Generally, we only sniff the first 200 to 300 bytes of each message. The user name and password are included in this section, which is what we really care about. Workers can also sniff all messages on a given interface. If there is enough space for storage and processing, they will find something very interesting ... simply putting a sniffer object anywhere will not do anything. Put the sniffer near the attacked machine or network, and it will capture many passwords. Another better way is to put it on the gateway. If so, we can capture the authentication process between this network and other networks. This way will multiply the range we can attack. 3. Who can use a sniffer? Everyone may know who can use sniffer, but not everyone who uses sniffer is a network expert, because many Sniffers have become fools now, and oicqsniffer is the one who used it the most some time ago. I think those friends who like to check their friends' ip should remember. Hehe, I used it, but of course I don't need it now! Of course, the system administrator uses sniffer to analyze the network information flow and find out where the problem lies in the network. A security administrator can use multiple sniffers at the same time and spread them all over the network to form an intrusion alarm system. Sniffer is a very good tool for system administrators, but it is also a tool often used by hackers. Hackers install sniffer to get user names and accounts, credit card numbers, personal information and other information. If it develops in a bad direction, it will do great harm to you or your company. When they get this information, hackers will use passwords to attack other websites and even resell credit card numbers. 3. How is 3.sniffer implemented on the network? Before talking about this problem, we should also talk about Ethernet communication. Generally speaking, all network interfaces in the same network segment have the ability to access all data transmitted on the medium, and each network interface should also have a hardware address, which is different from the hardware addresses of other existing network interfaces in the network. At the same time, each network should have at least one broadcast address. Under normal circumstances, legal network interfaces should only respond to two kinds of data frames: 1? The target area of the frame has a hardware address that matches the local network interface. 2? The target area of the frame has a "broadcast address". When receiving the data packets in the above two situations, the network card generates a hardware interrupt through the cpu. Interrupts can attract the attention of the operating system and then transfer the data contained in the frame to the system for further processing. Sniffer is a software that can set the status of local network card to promiscuous mode. When the network card is in promiscuous mode, the network card has a "broadcast address", which will generate a hardware interrupt for each frame it encounters to remind the operating system to process each packet. (Most network cards can be set to promiscuous mode. It can be seen that sniffer works at the bottom of the network environment, and it will intercept all the data being transmitted on the network. Through the corresponding software processing, the content of these data can be analyzed in real time, and then the network state and overall layout can be analyzed. It is worth noting that sniffer is extremely quiet and is a negative security attack. 4. Where can I get a sniffer? The sniffer we are talking about is mainly used under unix system. As for those oicqsniffer, it is beyond our discussion. Sniffer is one of the most commonly used intrusion methods for hackers. You can run sniffer on an approved network to learn how it can effectively compromise the security of local machines. The sniffer can be hardware or software. At present, software sniffers are the most diverse and widely used, and most hackers also use them. The following sniffer tools are also widely used to debug network faults: (1) Commercial sniffers: 1. Network synthesis. The network has developed a variety of products. The most important thing is ExpertSniffer, which can not only sniff, but also send/receive data packets through a high-performance dedicated system to help diagnose faults. Another enhanced product, "DistrbutedsnifferSystem", can use UNIX workstations as sniffer consoles and distribute sniffer agents to remote hosts. 2.2. Microsoft's NetMonitor for some commercial websites may need to run multiple protocols at the same time-netbeui, IPX/SPX, TCP/IP, 802.3 and SNA. At this time, it is difficult to find a sniffer to help solve network problems, because many sniffers often treat some correct protocol packets as error packets. Microsoft's NetMonitor (formerly called Bloodhound) can solve this problem. It can correctly distinguish between Netware control packets and NTNetBios name service broadcasts and other unique packets. (etherfind will only recognize these packets as broadcast packets of type 0000. ) This tool runs on the MSWindows platform. It can even monitor network statistics and session information through MAC address (or host name). Just click a session to get the output of the tcpdump standard. The filter setting is also the simplest, just click the host to be monitored in a dialog box. (2) sniffer 1. Sniffit was developed by LawrenceBerkeley Lab and runs on Solaris, SGI and Linux platforms. You can choose the source address and destination address or address set, and you can also choose the listening port, protocol and network interface. By default, this sniffer only accepts the first 400 bytes of the packet, which is just right for the login session. 2.SNORT: This sniffer has many options for you to use and is portable. It can record some connection information to track some network activities. 3.TCPDUMP: This sniffer is very famous. Linux and FreeBSD are still connected to the system. It is a professional network management tool considered by many UNIX experts. I remember TsutomuShimomura recorded KEVINMITNICK's attack on his system with his modified version of TCPDUMP. Later, he cooperated with the FBI and caught Kevin Mitnick. Later, he wrote an article: Use these logs to describe the attack, How Mitnick Hackedtsutomushimomurawithanips equals eatack ((4)). Sniffer tool under Linux sniffer tool under Linux, I recommend Tcpdump. [1]. The installation of tcpdump under Linux is very simple, and there are generally two installation methods. One is installed in the form of rpm package. The other is to install in the form of source program. The 1.rpm package is the simplest installation method. The rpm package is a binary format after software compilation, which can be installed directly through the RPM command without modifying anything. Log in as superuser and use the following command: #rpm-ivhtcpdump-3_4a5.rpm so that tcpdump can be successfully installed in your linux system. How's it going? It's simple. 2. Installation of source program Since the installation of rpm package is very simple, why use a more complicated source program to install it? In fact, one of the biggest attractions of linux is that there are many software sources on it, and people can modify the source programs to meet their special needs. Therefore, I especially recommend friends to adopt this installation method of source program. The first step is to get the source program. In the installation method of source program, we must first obtain the source program distribution package of tcpdump. This distribution package has two forms, one is tar compressed package (tcpdump-3_4a5.tar.Z) and the other is rpm distribution package (tcpdump-3_4a5.src.rpm). The content of these two forms is the same, the only difference is the way of compression. The compressed package of tar can be unpacked with the following command: You can install the package of #tarxvfztcpdump-3_4a5.tar.Zrpm with the following command: #rpm-ivhtcpdump-3_4a5.src.rpm, so as to extract the source code of tcpdump to /usr/src/redhat/ in the SOURCES directory. The second step is to prepare the source program compilation. Before compiling the source program, it is best to ensure that the library file libpcap has been installed. This library file is required by tcpdump software. Similarly, you should have a standard C language compiler. Under linux, the standard C language compiler is generally gcc. In the source program directory of tcpdump. One file is Makefile.in, and the configure command automatically generates Makefile from Makefile.in file. In the Makefile.in file, you can modify the macro definitions of BINDEST and MANDEST according to the system configuration. The default value is bindest = @ sbinder @ mandest = @ mandir @. The first macro value represents the path name of the binary file where tcpdump is installed, and the second macro value represents the path name of the tcpdump man page. You can modify them to meet the needs of the system. The third step is to compile the source program by using the configuration script in the source program directory, which reads various required attributes from the system. And automatically generate Makefile according to Makefile.in file for compilation. Use the make command to compile the source program of tcpdump according to the rules in Makefile. Use the makeinstall command to install the compiled binary file of tcpdump. To sum up: # tarxvfztcpdump-3 _ 4a5.tar.z # vimakefile.in #. /configure # make # makeinstall [2]。 Tcpdump is used by command line. The command format is: tcpdump [-adeflnnopqstvx] [-cquantity] [-f file name ][-i network interface ][-r file name ][-ssnaplen][-T type ][-w file name] [expression] 1. Option introduction tcpdump -a will broadcast the network address and. -d gives the code of the matching package in an assembly format that people can understand; -dd gives the code of the matching package in the format of C language program segment; -ddd gives the code of the matching packet in decimal form; -e printing the header information of the data link layer on the output line; -f Print external Internet addresses in digital form; -l produces standard output in the form of buffered lines; -n Do not translate network addresses into names; -t Do not print a timestamp on each line of output; -v outputs a slightly detailed information, such as ttl and service type information, which can be included in the ip packet; -vv outputs detailed message information; -c tcpdump will stop after receiving the specified number of packets; -F reads the expression from the specified file and ignores other expressions; -i specifies the network interface to listen on; -r reads packages from the specified file (these packages are generally generated by the -w option); -w Write the package directly to the file without analysis and printing; -T directly interprets the intercepted message as a specified type of message, and the common types are rpc (Remote Procedure Call) and snmp (Simple Network Management Protocol); 2. The expression introduction expression of tcpdump is a regular expression, which tcpdump uses as a condition for filtering messages. If the message meets the conditions of the expression, it will be captured. If no conditions are given, all packets on the network will be intercepted. There are usually the following types of keywords in expressions. A category of keywords mainly includes host, network and port, such as host2 10.27.48.2, which means that 2 10.27.48.2 is the host and net202.0.0.0 means 202.0.0. If no type is specified, the default type is host. The second category is keywords to determine the propagation direction, mainly including src, dst, dstorsrc and dstandsrc, which indicate the propagation direction. For example, src2 10.27.48.2 means that the source address in the ip packet is 2 10.27.48.2, and DST NET 202.0.0.0 means that the destination network address is 202.0.0. If the direction keyword is not specified, it defaults to the srcordst keyword. The third is the key words of the protocol, mainly including fddi, ip, arp, rarp, tcp, udp and other types. Fddi stands for a specific network protocol on fddi (Distributed Optical Fiber Data Interface Network), but it is actually an alias for "Ethernet". Fddi and ether have similar source and destination addresses, so FDDI protocol packets can be processed and analyzed as ether packets. Several other keywords indicate the protocol content of the monitored package. If no protocol is specified, tcpdump will listen for packets of all protocols. In addition to these three types of keywords, other important keywords are as follows: gateway, broadcast, less, greater, and there are three logical operations, and the negative operation is' not'! , and operation is' and','&; & amp； Or operation is' or',''; These keywords can be combined to form a powerful combination condition to meet people's needs. Here are a few examples to illustrate. (1) All packets sent and received by the host that wants to intercept 2 10.27.48. 1: # tcpdumphost2 1 0.27.48.1(2) Intercept the host 2/kloc-. 0. 27. 47. 48 communication (2 10.27.48.2 or 2 10.27.48.3 \) (3) If you want to obtain the host 210.27.48./kloc, We will introduce the output information of several typical tcpdump commands (1). The data link layer header information usage command # tcpdump-ehostice is a host with linux. Her MAC address is 0: 90: 27: 58: AF:1ah 219. It is a SUN workstation with SOLARIC, and its MAC address is 8: 0: 20: 79: 5B: 46. The output of the last command is as follows: 21:50:12.847509eth08: 0: 20: 79: 5b: 460: 90: 27: 58: af:1aip60: h 2/kloc- Ice cubes. Telnet 0: 0 (0) ACK 22535 WIN 8760 (DF) Analysis: 2 1: 50: 12 is the display time, 847509 is the ID number, eth0 is the data packet sent by the network interface device, and 8:0:20:79:5b:46 is the host H 26. Indicates that it is a packet sent from the source address H2 19. 0:90:27:58:af: 1a is the MAC address of the host ICE, which means that the destination address of the packet is ICE.ip means that the packet is an ip packet, 60 is the length of the packet, and H2 19.3357 >: Ice.TELNET(23 means that the packet is transferred from host H2 19 to 3333. Ack22535 indicates that the packet with sequence number 222535 has been responded. Win8760 indicates that the size of the sending window is 8760. (2) Use the command #TCPDUMParp to output the tcpdump output information of ARP packet: 22. Arpwho-hasroutetellICE (0: 90: 27: 58: AF:1a) 22: 32: 42.802902 eth0 indicates that the message is sent by the host, ARP indicates that it is an ARP request message, and who-hasROUTEtellICE indicates that it is the MAC address of the host ice requesting host routing. 0:90:27:58:af: 1a is the MAC address of the host ICE. (3) Output information of TCP packet The general output information of TCP packet captured by TCPDUMP is: src >；; dst:flags data-seqnoackwindowurgentoptionssrc & gt； Dst: from the source address to the destination address, flags is the flag information in the TCP packet, s is the SYN flag, F(FIN), P(PUSH), R(RST). "(not marked); Data-seqno is the sequence number of the data in the data packet, ack is the expected sequence number next time, window is the size of the receiving buffer, and urgent indicates whether there is an emergency pointer in the data packet. An option is an option. (4) Output information of UDP packets The general output information of UDP packets captured by TCPDUMP is: route. port1>; Ice cubes. Port 2: UDP is very simple. The output line above shows that UDP packets sent from port 1 routed by the host are sent to port 2 of the host ice. The type of UDP is UDP, and the length of the packet is above lenth. I will introduce the installation and use of TCPDUMP in detail, hoping to help everyone. If you want to skillfully use the sniffer tool TCPDUMP in LINUX environment, you need to sum up experience in practice and give full play to its power. (sniffer on windows platform) I recommend netxray and snifferpro software. I think everyone has used it. Here is a brief introduction.