Understanding Sniffers 211
When on a switched network, your traffic capture is limited to the seg-
ment you are connected to regardless of the mode of your interface card.
We’ll discuss this in more detail later. For now, just remember that for your
sniffer to be effective your interface card must be in promiscuous mode.Most sniffer utilities have basic options that are fairly consistent across the gamut of
versions. This consistency holds true regardless of whether it’s a Linux-based utility or a
Windows version. We’ll dig more into types and specifics later, but first let’s look at the com-
monalities. On most sniffers a main pane displays the incoming packets and highlights or lists
them accordingly. It is usually linear in its listing unless you specify otherwise via filters or
other options. Additionally, there is commonly a subpanel that allows an in-depth view of the
packet selected. It’s important to be familiar with your sniffer of choice as it will save you a
lot of time and frustration in the long run. Also, having a good grasp of a sniffer’s basic func-
tions will allow you to use many different sniffers without too many problems. So, from here,
a sniffer usually has an interface selection or activation option that begins the capture phase.
Pop quiz: What happens when the capture button is activated? You got it!
The NIC switches to promiscuous mode!Once you choose the capture button, you should see packets populating your capture
pane; if not, check your network interface selection. All sniffers give you the ability to
select from all available interfaces on your computer. You can easily choose a disconnected
interface and sit there irritated because your sniffer isn’t working. Just double-check and
you’ll be happily rewarded with real-time traffic!
Use that save capture function! Real-time capture and analysis is
impressive and flashy, but it’s also an immense pain in the butt! Also keep
in mind that the exam offers you four hours to mull over those 150 ques-
tions, and there are no live streaming feeds to anxiously digest. Take one
packet at a time and make sure you understand all its pieces and parts.Remember that a sniffer is not just a dumb utility that allows you to view only streaming
traffic. A sniffer is a robust set of tools that can give you an extremely in depth and
granular view of what your (or their) network is doing from the inside out. That being
said, if you really want to extrapolate all the juicy tidbits and clues of each packet, save the
capture and review it when time allows. I prefer to review my 20,000 packets of captured
data at my local coffee shop with a hot vanilla latte and a blueberry scone. Make it easy on
yourself; your target is not going anywhere soon.
Also, before we go too much into sniffers, it is important to mention that there are
also things called hardware protocol analyzers. These devices plug into the network at
the hardware level and can monitor traffic without manipulating traffic. Typically these
hardware devices are not easily accessible to most ethical hackers due to their enormous
cost in many cases (some devices have price tags in the six-figure range).