1

What is a Packet
Sniffer?
PROF.HITESH MOHAPATRA
LAB 1 ASSIGNMENT 1

Packet sniffers or protocol analysers are tools that are commonly

used by network technicians to diagnose network-related problems.
Packet sniffers can also be used by hackers for less than noble
purposes such as spying on network user traffic and collecting
passwords.

Types

packet sniffers come in a couple of different forms. Some packet

sniffers used by network technicians are single-purpose dedicated
hardware solutions while other packet sniffers are software
applications that run on standard consumer-grade computers,
utilizing the network hardware provided on the host computer to
perform packet capture and injection tasks.

How do Packet Sniffers Work?

Packet sniffers work by intercepting and logging network traffic that

they can 'see' via the wired or wireless network interface that the
packet sniffing software has access to on its host computer.

On a wired network, what can be captured depends on the

structure of the network. A packet sniffer might be able to see traffic
on an entire network or only a certain segment of it, depending on
how the network switches are configured, placed, etc.

On wireless networks, packet sniffers can usually only capture one

channel at a time unless the host computer has multiple wireless
interfaces that allow for multichannel capture.

Output expectation and uses

Once the raw packet data is captured, the packet sniffing software
must analyse it and present it in human-readable form so that the
person using the packet sniffing software can make sense of it. The
person analysing the data can view details of the 'conversation'
hap

Network technicians can use this information to determine where a

fault lies, such as determining which device failed to respond to a
network request.pening between two or more nodes on the
network.

Negative impact

Hackers can use sniffers to eavesdrop on unencrypted data in the

packets to see what information is being exchanged between two
parties. They can also capture information such as passwords and
authentication tokens (if they are sent in the clear). Hackers can
also capture packets for later playback in replay, man-in-themiddle, and packet injection attacks that some systems may be
vulnerable to.

What Software Tools are Commonly

Used in Packet Sniffing?

Just like everybody else, both network engineers and hackers love
free stuff, which is why open source and freeware sniffer software
applications are often the tools of choice for packet sniffing tasks.
One of the more popular open source offerings
is: Wireshark (previously known as Ethereal).

What is AF_INET, and why do I need

it?

AF_INET is an address family that is used to designate the type of addresses that your socket
can communicate with (in this case, Internet Protocol v4 addresses).
When you create a socket, you have to specify its address family, and then you can only use
addresses of that type with the socket. The Linux kernel, for example,
supports 29 other address families such as UNIX (AF_UNIX) sockets and IPX (AF_IPX), and
also communications with IRDA and Bluetooth (AF_IRDA and AF_BLUETOOTH,
but it is doubtful you'll use these at such a low level).For the most part, sticking
with AF_INET for socket programming over a network is the safest option.
There is also AF_INET6 for Internet Protocol v6 addresses.

socket.SOCK_RAW

Raw mode is basically there to allow you to bypass some of the way
that your computer handles TCP/IP. Rather than going through the
normal layers of encapsulation/decapsulation that the TCP/IP stack
on the kernel does, you just pass the packet to the application that
needs it. No TCP/IP processing -- so it's not a processed packet, it's a
raw packet. The application that's using the packet is now
responsible for stripping off the headers, analyzing the packet, all
the stuff that the TCP/IP stack in the kernel normally does for you

Pseudo code

10

Program
import socket, sys
from struct import

11

#create an INET, STREAMing socket

try:
s = socket.socket(socket.AF_INET, socket.SOCK_RAW,
except socket.error , msg:
print 'Socket could not be created. Error Code : '
Message ' + msg[1]
sys.exit()

socket
+

IPPROTO_TCP)

str(msg[0])

'

# receive a packet
while True:
packet = s.recvfrom(65500)
#packet string from
packet = packet[0]
#take first
ip_header =

tuple

20 characters
packet[0:20]

for

#now unpack them :)

iph = unpack('!BBHHHBBH4s4s'
version_ihl = iph[0]
version = version_ihl >>
ihl = version_ihl & 0xF
iph_length

ihl

the

ip

header

ip_header)

ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
print 'Version : ' + str(version) + '\tIP Header Length : ' + str(ihl)
\tTTL : ' + str(ttl) + '\tProtocol : ' + str(protocol) + '\tSource Address
+ str(s_addr) + '\tDestination Address : ' + str(d_addr)
tcp_header
#now
tcph

'
'

packet[iph_length:iph_length+20]

unpack them :)
= unpack('!HHLLBBHHH'

source_port = tcph[0]
dest_port = tcph[1]
sequence = tcph[2]
acknowledgement = tcph[3]
doff_reserved = tcph[4]
tcph_length = doff_reserved

tcp_header)

>>

print '\nSource port:' +str (source_port)+'\tDestination port:'+str

(dest_port)+'\tSequence
number:'+str(sequence)+'\tAcknowledgement:'+str(acknowledgement)+'\tTcp
Length'+str(tcph_length)
h_size=iph_length

+
:

+tcph_length*4

Header

Out Put

12

IP header format

13