In a shared media network, such as Ethernet, all network interfaces on a network segment have
access to all of the data that travels on the media. Each network interface has a hardware-layer
address that should differ from all hardware-layer addresses of all other network interfaces on
the network. Each network also has at least one broadcast address that corresponds not to an
individual network interface, but to the set of all network interfaces. Normally, a network
interface will only respond to a data frame carrying either its own hardware-layer address in
the frame’s destination field or the “broadcast address” in the destination field. It responds to
these frames by generating a hardware interrupt to the CPU. This interrupt gets the attention
of the operating system, and passes the data in the frame to the operating system for further
processing.
Note:
"The term “broadcast address” is somewhat misleading. When the sender wants to
get the attention of the operating systems of all hosts on the network, he or she uses
the “broadcast address.” Most network interfaces are capable of being put into a
“promiscuous mode.” In promiscuous mode, network interfaces generate a hard-
ware interrupt to the CPU for every frame they encounter, not just the ones with
their own address or the “broadcast address.” The term “shared media” indicates to
the reader that such networks broadcast all frames—the frames travel on all the
physical media that make up the network."
At times, you may hear network administrators talk about their networking trouble spots—
when they observe failures in a localized area. They will say a particular area of the Ethernet is
busier than other areas of the Ethernet where there are no problems. All of the packets travel
through all parts of the Ethernet segment. Interconnection devices that do not pass all the
frames from one side of the device to the other form the boundaries of a segment. Bridges,
switches, and routers divide segments from each other, but low-level devices that operate on
one bit at a time, such as repeaters and hubs, do not divide segments from each other. If only
low-level devices separate two parts of the network, both are part of a single segment. All
frames traveling in one part of the segment also travel in the other part.
The broadcast nature of shared media networks affects network performance and reliability so
greatly that networking professionals use a network analyzer, or sniffer, to troubleshoot
problems. A sniffer puts a network interface in promiscuous mode so that the sniffer can
monitor each data packet on the network segment. In the hands of an experienced system
administrator, a sniffer is an invaluable aid in determining why a network is behaving (or
misbehaving) the way it is. With an analyzer, you can determine how much of the traffic is due
to which network protocols, which hosts are the source of most of the traffic, and which hosts
are the destination of most of the traffic. You can also examine data traveling between a
particular pair of hosts and categorize it by protocol and store it for later analysis offline. With
a sufficiently powerful CPU, you can also do the analysis in real time.
Most commercial network sniffers are rather expensive, costing thousands of dollars. When
you examine these closely, you notice that they are nothing more than a portable computer
with an Ethernet card and some special software. The only item that differentiates a sniffer
from an ordinary computer is software. It is also easy to download shareware and freeware
sniffing software from the Internet or various bulletin board systems.
The ease of access to sniffing software is great for network administrators because this type of
software helps them become better network troubleshooters. However, the availability of this
software also means that malicious computer users with access to a network can capture all the
data flowing through the network. The sniffer can capture all the data for a short period of
time or selected portions of the data for a fairly long period of time. Eventually, the malicious
user will run out of space to store the data—the network I use often has 1000 packets per
second flowing on it. Just capturing the first 64 bytes of data from each packet fills up my
system’s local disk space within the hour.
Note:
"Esniff.c is a simple 300-line C language program that works on SunOS 4.x. When
run by the root user on a Sun workstation, Esniff captures the first 300 bytes of each
TCP/IP connection on the local network. It is quite effective at capturing all
usernames and passwords entered by users for telnet, rlogin, and FTP.
TCPDump 3.0.2 is a common, more sophisticated, and more portable Unix sniffing
program written by Van Jacobson, a famous developer of high-quality TCP/IP
software. It uses the libpcap library for portably interfacing with promiscuous mode
network interfaces. The most recent version is available via anonymous FTP to
ftp.ee.lbl.gov.
NetMan contains a more sophisticated, portable Unix sniffer in several programs in
its network management suite. The latest version of NetMan is available via
anonymous FTP to ftp.cs.curtin.edu.au in the directory /pub/netman.
EthDump is a sniffer that runs under DOS and can be obtained via anonymous FTP
from ftp.eu.germany.net in the directory /pub/networking/inet/ethernet/".
Warning:
"On some Unix systems, TCPDump comes bundled with the vendor OS. When
run by an ordinary, unprivileged user, it does not put the network interface into
promiscuous mode. With this command available, a user can only see data being
sent to the Unix host, but is not limited to seeing data sent to processes owned by
the user. Systems administrators concerned about sniffing should remove user
execution privileges from this program".
Komentar