What Are Packet Sniffers and How Do They Work?
Packet sniffers are a type of network tool that can monitor and analyze every piece of network traffic that passes their way. They have many important functions on the internet and local networks.
However, they have also been turned to more malicious purposes. If you're wondering what the heck a packet sniffer is and why you should care, stick around as we break it down into the most important points.
What Is a Packet?
Before we can talk about sniffing them, we need to talk about what a packet is in the first place. The first thing you should know about network packets is that they are the most basic unit of communication on a computer network. The easiest way to explain what a packet is and why we use them on networks is using an analogy.
Let's say we wanted to mail a house to you. Yes, an entire brick and mortar house! There's no way to send the whole thing at once. So the only option is to break the house up into smaller pieces - let's say, into its component bricks. We wouldn't just send the bricks to you willy-nilly either: we'd take each brick, put it in a box and carefully label where it's going and where it's coming from. On top of that, we'd also provide exact information about where in the house the brick should go.
As you receive the bricks at the destination, you look at the information included with each one and use it to rebuild the house at the other end. That's basically what an internet packet is. When you send or receive an email, picture, file, or anything else, it's broken up into these digital bricks, wrapped up in a digital shell, and sent off individually to the destination. The packets don't have to arrive in the right order, as long as they all get there to be reconstructed.
Packet Sniffing Defined
Now that you have a reasonable idea of what a packet is, we can talk constructively about what it means to "sniff" them. First, you must understand what happens between the points where a packet leaves your home network and its arrival at the correct destination.
Packets don't get to where they are going through a direct route. Instead, they pass through all sorts of computer systems and networks. The word "internet" is, after all, short for "internetwork." In other words, it's a network of networks. Your packets pass through all the intermediate networks until it gets where it's going.
The crucial thing to realize here is that your packets can be examined and read by every network device that passes that particular packet on to the net hop in its journey! A packet sniffer is exactly that - a device or program whose job is to record information on every packet that passes through its grasp. Actually, the sniffer can do more than record information about the packets: it can save copies of the packets before sending them on! This means that if you send a photo or an email to someone, a packet sniffer could intercept those packets, save them and reconstruct your info - all without you or the receiver knowing about it.
Legitimate Packet Sniffing Uses
That probably sounds pretty bad right off the bat, but packet sniffers actually have a long list of important and legitimate uses. The most important one is probably network troubleshooting. A packet sniffer can find problems on a network by looking at all the packets moving through it and detecting problematic ones. For example, if you find packets in a network where they are not meant to be, you know the problem has to do with packet routing. If you find packets that show protocol and port mismatches, that is a strong clue to what's wrong.
Packet sniffers are also a good way to analyze network traffic. Pretty much the same way we monitor traffic on roads and build up statistics regarding road use. If you see a disproportionate amount of trucks pass through, you know there's an overuse of the road by a particular traffic type. In the same way, a packet sniffer could tell you which application is hogging network bandwidth. Packet sniffers are more useful than real-time network monitoring if you want to have a picture of network use over time.
Packet sniffers can also be used to beef up network security. They can look for and detect packets that potentially pose a security risk. For example, packets that contain sensitive information that can be read openly. This brings us to the dark side of packet sniffing.
Malicious Packet Sniffing
If a malicious actor had a packet sniffer checking and recording every packet that came out of your computer, what could they do with that information?
At the very least, collected packets can tell someone which websites you've visited, which pages you viewed on those sites, and at what time you went there. However, when packet sniffers are installed on a system as a form of malware, things can go much darker than this in short order.
Malicious packet sniffers forward the collected packets to the malware owner's computer, where it can be analyzed. That packet sniffer can be used to look for vulnerabilities, and it can also be used to launch certain types of attacks. Man-in-the-middle attacks are one primary example of this. Here, the software replaces packets going in either direction with compromised ones. However, the real danger is that a malicious packet sniffer will intercept packets with unencrypted data, letting the malicious actor reconstruct data easily.
Filtered vs. Unfiltered Sniffing
Packet sniffers are generally deployed in two modes. Unfiltered sniffers don't discriminate between different types of packets. They collect data on every single packet that passes through the sniffer.
A filtered packet sniffer, on the other hand, is looking for something specific. For example, it might only collect and inspect packets marked for a specific destination. Obviously, unfiltered sniffing can result in an absolutely massive amount of data to analyze, so most sniffers are likely to be set for filtered operation.
Hardware vs. Software Sniffers
Packet sniffers come in two main forms. Software packet sniffers are applications that run on devices such as network-connected computers. Malicious packet sniffers are almost always of the software variety. This makes sense since all you need to install one is a successful malware infection. The downside of using a software packet sniffer from this perspective is that it will only see packets intended for the computer it's installed on. If that computer is a server, then it's not much of a limitation.
If it's someone's company computer, it can see only a fraction of the total network traffic, which is why hackers hope to infect many different computers on the network. That being said, malicious packet sniffers can alter the host machine's settings to see more packets than usual (promiscuous mode). Still, the nature of routed network traffic means that not all packets physically pass through the local network adapter. So, for example, it may not be possible to see the network all traffic on the other side of a router.
Hardware packet sniffers are generally used by on-site network engineers. The sniffer can be installed at any network point, where it will begin to collect network data for analysis. It's a very useful tool for diagnosing specific sections of a physical network. It can help detect when packets are being lost because of some sort of malfunction at any point in the network where you splice it in.
The Importance of Encryption
As you may already have figured out, packet sniffing is the main reason we need packet encryption protocols such as HTTPS. If internet packets aren't encrypted, anyone with a packet sniffer can read exactly what's inside of them! Many common types of internet traffic, such as email, don't have encryption built into them. This wasn't really an issue in the early days of the internet, but now with a global network of users, it's essential that all network traffic has encryption.
Thanks to misconfigurations of internal networks or other related issues, encryption sometimes fails. Malicious packet sniffers are specifically looking for such unsecured packets, which is why cybersecurity professionals do the same thing with their sniffers, hoping to beat the hackers to the punch.
VPNs as Packet Sniffer Defence
One of the best ways to defend against malicious packet sniffers or simply your ISP is to use a VPN or Virtual Private Network. Users who have a VPN service installed on their router or individual devices get an extra encryption layer. Their original packets are encased within an encrypted packet. This forms a virtual tunnel between your device and the VPN server. Anyone sniffing the packets traveling between you and the VPN server only knows that you are using that server - they don't know which sites you're visiting or what data is being transferred.
Once the packets reach the VPN server, they exit the tunnel and reach their destination. Yet anyone sniffing those packets would only know that the communication is traveling between the remote server you're accessing and the VPN server at the far end of the tunnel.
Of course, the VPN server itself can sniff your packets with no trouble at all, which is why you need to choose a trusted VPN that doesn't store any records of your web traffic!
Other Ways to Thwart Packet Sniffers
While using a VPN remains the best overall defense against sniffers, there are other additional measures you can take to make it less likely that your data will be compromised.
First of all, run a malware scan of your computer regularly. Additionally, you should practice the same good habits to avoid malware in general, such as not putting strange USB drives you find into your computer or running email attachments from people you don't know.
You should also steer clear of public WiFi hotspots. The WiFi password is also the decryption key, so anyone can set up a wireless packet sniffer to intercept all packets on public networks. A VPN is the only way to have an acceptable level of security on public networks.
It's not just malicious sniffers you have to worry about. It's best to assume that your ISP or the company you work for logs all of the packets that come from and to you. So be mindful of how you browse and use your own personal internet connection for browsing activity you consider private. When it comes to your ISP, a VPN is again the way to go.
Apart from that, always use HTTPS online. If a website doesn't use HTTPS, then avoid it. Otherwise, you can turn to something like HTTPS everywhere.
It's also important to ensure that your home WiFi network is using the highest network security standard it supports. These days, that's usually WPA2. Keep your devices up to date, make sure your network hardware is up to date, and generally try to install all security-related updates as soon as they are available.
Can You Smell That?
Most of you reading this will never need to use a packet sniffer. Yet everyone needs to know what they are! Having a basic understanding of how networks send and receive info helps your safety. Now that you know what these sniffers can do, you're sure to be more careful with your network packets in the future.