Using a Sniffer 221
output from a sniffer is not just a CEH exam skill. It truly is one of those integral skills that
every hacker must have.
Reading Sniffer Output
Remember the original Jaws movie? Remember when Hooper and Brody cut the shark
open in the middle of the movie and Hooper started pulling stuff out of the stomach...
yuck! So how does this relate to sniffer output? Well, the concept is very similar. When
packets are captured, each one has a slew of innards that you can dissect one piece at
a time. Just as Hooper digs into the open-bellied shark, you too dig through the packet
innards to find those specific morsels that will tell you what you need to know. The point
here isn’t movie trivia (although I love killer shark flicks); the point you should take away
from this is that each packet captured really does have an immense amount of data that
you can use for reconnaissance or setting up future attacks. It’s even extremely useful
as a legitimate troubleshooting tool. Figure 9.1 shows a captured packet of a basic TCP
handshake. Can you find the basic three-way handshake steps?
FIGURE 9.1 TCP three-way handshake packet
Lines 2, 3, and 4 in Figure 9.1 are the SYN, SYN-ACK, and ACK that we discussed in
Chapter 2, “System Fundamentals.”
Pay close attention to the pieces of a captured packet, and ensure that you
can convert hex and apply that conversion to the binary scale for octet
recognition. This skill is critical for eliminating at least two of the possible
answers to a question.Packet sniffing and its interpretation can be likened to an art. There are some people
who can think like a computer, take one glance at a packet, and tell you everything you
ever wanted to know about where it’s going and what’s it doing. This is not your goal,
nor are you expected to be able to do this for the CEH exam. As ethical hackers, we are
methodical, deliberate, patient, and persistent. This applies to reading packet captures as
well. In Exercise 9.3 you will step through a captured packet bit by bit. This skill will prove
invaluable not just for the exam, but also for protecting your own network through traffic
analysis.