4. Sniffing Packets

A network of computers and peripherals communicate in a very logical and predictable manner defined by a standard called the OSI Model. By adhering to the rules of behavior set out in this model, manufacturers can build multiple products that can seamlessly connect to each other.

Messages and data travel in 'packets' that are similar in concept to envelopes in a postal system. Imagine that you have a large letter for your mum, but there are too many pages of text to fit in a single envelope. So you take out as many envelopes as required, number them in order as 1 of 6, 2 of 6 and so forth. You then affix to each an address for your mum, and a return address in the case of non-delivery.

The protocols of the OSI Model are analogous to the work practice of the postman in his/her post office. These are the questions that must be answered:

Question 1 - does the address for mum exist?
Question 2 - what route is required to send a letter there?
Question 3 - can it be delivered - is anyone at home?
Action - send the letters.

Now, because there are six letters, there is no guarantee that the same postal sorter will handle them all, or that they will all arrive together. If mum does not receive all six, she can complain and the postal system will request that you send them again. If she does get them all then she can arrange them in order and read them.

So how do we establish addresses on a network?

Each computer attached to a network typically has three pieces of information that identify it. There is a private unique address associated with the hardware, called a MAC address. There is an Internet Protocol (IP) address that identifies the computer on the network to which it is attached at a given time. And there is the computer name.

As a rule the MAC address remains unchanged, the IP address changes each time the computer is attached to a different address, and any administrative user can change the name of a computer at will.

So why all the addressing?

Think of things this way. Suppose you have a camper van that has a state registration number; this is like a MAC address. You like to drive from camper site to camper site and stay over for a while. Each site has a different street address, and within each site there are numbered bays where you park and plug in. This is like an IP Address. The name is what you choose to call the camper; last year you might have had 'Bingo Bob' painted on your van, but this year it's 'Elenora'.

For Big Brother to find you, he needs to keep track of your combined registration information and the site and bay in which you are parked. This list, in the techno world, is called the Address Resolution Protocol (ARP) list. Devices connected to a network maintain an up-to-date ARP listing so that the postman doesn't get lost.

Now we can also have two types of postman: one who likes to meet and chat with everyone and is not discreet, or another that is very efficient and very discreet.

In the former case, the postman knocks at every dwelling in the estate and shows the contents of the letters to anyone who answers the door. In network terms, we would say that our data was being routed on a non-switched network. In the latter case, our discreet postman delivers the letters to your mum only. This form of direct routing occurs on a switched network.

A network that is non-switched is open to very simple form of hacking. If I am sitting on such a network and I am running a program named TCPDUMP, I can operate in "promiscuous mode" to see network packets (our open letters) destined for all PCs on that network. If a user on a PC on the network is logging into a site that does not use SSL, then the username and password will be retrieved by a program such as TCPDUMP, or a more focused cousin named DSNIFF.