International Journal of Communication and Computer Technologies

Volume 01 No.49 Issue: 06 Jul 2013

ISSN NUMBER : 2278-9723

A Research Study on Packet Sniffing Tool TCPDUMP

ANSHUL GUPTA
SURESH GYAN VIHAR UNIVERSITY, INDIA

ABSTRACT
Packet sniffer is a technique of monitoring every
packet that crosses the network. By using this
developers can easily obtain the information of
the packet, such as structures, types, sizes and
data. Consequently, developers will find and
correct errors rapidly and conveniently. Packet
sniffer is a program running in a network attached
device that passively receives all data link layer
frames passing through the device's network
adapter. It is also known as network analyzer,
protocol analyzer or packet analyzer, or for
particular types of networks, an Ethernet sniffer or
wireless sniffer. The packet sniffer captures the
data that is addressed to other machines, saving it
for later analysis. Most of the time, we system
administrators use packet sniffing to troubleshoot
network problems like finding out why traffic is
so slow in one part of the network.
Capturing, or sniffing, network traffic is
invaluable
for
network
administrators
troubleshooting network problems, security
engineers investigating network security issues,
developers debugging communication protocol
implementations, or anyone trying to learn how
their networks work. Because attackers use
sniffers for network reconnaissance and to
intercept transmitted credentials and data, learning
about the capabilities and limitations of packet
sniffers is an important facet of understanding the
security risks.

INTRODUCTION
A packet sniffer is a tool that plugs into a
computer network and monitors all network
traffic. It monitors traffic destined to itself as well
as to all other hosts on the network. Packet
sniffers can be run on both non-switched and
switched networks. Each machine on a local
network has its own hardware address which
differs from other machines. When a packet is
sent, it will be transmitted to all available
machines on local network. Owing to the shared
principle of Ethernet, all computers on a local
network share the same wire, so in normal
situation, all machines on network can see the
traffic passing through but will be unresponsive to
those packets do not belong to themselves by just
ignoring. However, if the network interface of a
machine is in promiscuous mode, the NIC of this
machine can take over all packets and a frame it
receives on network, namely this machine
(involving its software) is a sniffer. When a
packet is received by a NIC, it first compares the
MAC address of the packet to its own. If the
MAC address matches, it accepts the packet
otherwise filters it. This is due to the network card
discarding all the packets that do not contain its
own MAC address, an operation mode called no
promiscuous, which basically means that each
network card is minding its own business and
reading only the frames directed to it. In order to
capture the packets, NIC has to be set in the
promiscuous mode. Packet sniffers which do

Volume 01 No.49, Issue: 06

Page 172
International Journal of Communication and Computer Technologies www.ijccts.org

International Journal of Communication and Computer Technologies

Volume 01 No.49 Issue: 06 Jul 2013
ISSN NUMBER : 2278-9723

sniffing by setting the NIC card of its own system

to promiscuous mode, and hence receives all
packets even they are not intended for it. So,
packet sniffer captures the packets by setting the
NIC card into promiscuous mode the packet

arriving at the NIC are copied to the device driver

memory, which is then passed to the kernel buffer
from where it is used by the user application.

Here is a good set of definitions I found on the

two types of Ethernet environments.
How does a packet sniffer work
A packet sniffer works by looking at every packet
sent in the network, including packets not
intended for itself. This is accomplished in a
variety of ways. These sniffing methods will be
described below. Sniffers also work differently
depending on the type of network they are in.

Shared Ethernet: In a shared Ethernet

environment, all hosts are connected to the
same bus and compete with one another
for bandwidth. In such an environment
packets meant for one machine are
received by all the other machines. Thus,
any machine in such an environment
placed in promiscuous mode will be able
to capture packets meant for other

Volume 01 No.49, Issue: 06

Page 173
International Journal of Communication and Computer Technologies www.ijccts.org

International Journal of Communication and Computer Technologies

Volume 01 No.49 Issue: 06 Jul 2013
ISSN NUMBER : 2278-9723

machines and can therefore listen to all the

traffic on the network.

Switched
Ethernet:
An
Ethernet
environment in which the hosts are
connected to a switch instead of a hub is
called a Switched Ethernet. The switch
maintains a table keeping track of each
computer's MAC address and delivers
packets destined for a particular machine
to the port on which that machine is
connected. The switch is an intelligent

Current Tools
There are currently many software packages that
can take packet traces, but they tend to be aimed
at individual network segments, and tend to leave
the analysis to the operator of the packet sniffer.

device that sends packets to the destined

computer only and does not broadcast to
all the machines on the network, as in the
previous case. This switched Ethernet
environment was intended for better
network performance, but as an added
benefit, a machine in promiscuous mode
will not work here. As a result of this,
most network administrators assume that
sniffers don't work in a Switched
Environment.

One of the most basic tools for analyzing packets

is tcpdump. Tcpdump runs from the command
line and uses the libpcap module, which is an API
for packet capture and analysis. The program
attempts to present packets in a more readable
format, by decoding formats such as TCP
(Transmission Control Protocol) and IP (Internet
Protocol) headers to present them in a more user

Volume 01 No.49, Issue: 06

Page 173
International Journal of Communication and Computer Technologies www.ijccts.org

International Journal of Communication and Computer Technologies

Volume 01 No.49 Issue: 06 Jul 2013
ISSN NUMBER : 2278-9723

friendly way. This type of software is known as a

protocol analyzer, since it combines the ability to
retrieve packets from networks, but also to decompose the relevant protocols to make analysis
more relevant.

SNIFFING METHODS
There are three types of sniffing methods. Some
methods work in non-switched networks while
others work in switched networks. The sniffing
methods are: IP-based sniffing, MAC-based
sniffing, and ARP-based sniffing.
2.4.1 IP-based sniffing
This is the original way of packet sniffing. It
works by putting the network card into
promiscuous mode and sniffing all packets
matching the IP address filter. Normally, the IP
address filter isnt set so it can capture all the
packets. This method only works in non-switched
networks.
2.4.2 MAC-based sniffing
This method works by putting the network card
into promiscuous mode and sniffing all packets
matching the MAC address filter.

2.4.3 ARP-based sniffing

This method works a little different. It doesnt put
the network card into promiscuous mode. This
isnt necessary because ARP packets will be sent
to us. This happens because the ARP protocol is
stateless. Because of this, sniffing can be done on
a switched network. To perform this kind of
sniffing, you first have to poison the ARP cache1
of the two hosts that you want to sniff, identifying

yourself as the other host in the connection. Once

the ARP caches are poisoned, the
two hosts start their connection, but instead of
sending the traffic directly to the other host it gets
sent to us. We then log the traffic and forward it
to the real intended host on the other side of the
connection. This is called a man-in-the-middle
attack. See Diagram 1 for a general idea of the
way it works.[2,3,5]

What type of an attack is it

A sniffer being used on a network to snoop
passwords and anything else is considered to be a
passive attack. A passive attack is one that doesn't
directly intruder onto a foreign network or
computer. Using a sniffer as an example one is set
up in hopes of catching desired information
including logins and passwords on the other hand,
an active attack directly interfaces with a remote
machine. Remote buffer overflows, network
floods and other similar attack fall under the
category of an active attack. By nature , passive
attacks are not meant to be discovered by the
persons being attacked. At no point should they
have indication of your activity . This makes
sniffers just as serious as any active attack

REFERENCES
1. Research paper proceeding of the 2nd
National Conference; INDIACom-2008
by Rupal Sinha, D.K. Mishra
2. Implementation of IEEE 802.15.4 Packet
Analyzer

Volume 01 No.49, Issue: 06

Page 173
International Journal of Communication and Computer Technologies www.ijccts.org

International Journal of Communication and Computer Technologies

Volume 01 No.49 Issue: 06 Jul 2013
ISSN NUMBER : 2278-9723

3. A Distributed Network Performance

and Traffic Analyzer by Andrew Thomas
4. Packet Sniffer Detection with AntiSniff by
Ryan Spangler, University of Wisconsin Whitewater
5. Packet Sniffing Basics Linux Journal by
Adrian Hannah
6. Linux Journal on Tcpdump
7. RFC 1761
8. Improving Passive Packet Capture Beyond
Device Polling by Luca Deri NETikos
S.p.A.

Volume 01 No.49, Issue: 06

Page 174
International Journal of Communication and Computer Technologies www.ijccts.org