Packet Sniffing

Packet Sniffing is a technique used for snooping on network traffic that network engineers have been using for years. It allows network users and administrators to capture each ‘packet' of data that is transmitted over a network, and then analyze its contents.

Unfortunately, it is also used by hackers to steal personal information.

img

What is Packet Sniffing?

Packet sniffing has many legitimate uses. Network engineers can use it to diagnose and troubleshoot network problems or to gather statistics about the performance of a given network. With the right privileges, it also gives them a detailed view of how devices connected to a network are communicating with each other, and so is invaluable when it comes to setting up strong security and encryption protocols in corporate environments.

So far, so good.

However, Packet Sniffing also has less innocent uses. Because the technique is such a powerful way of accessing network traffic, including sensitive and confidential data, it has also become part of the hacker’s standard toolkit.

With the help of a Packet Sniffer, an attacker can (potentially) read all of the information being passed across a network. This includes the contents of emails, passwords, and potentially even financial information. Doing this requires that an attacker has the right privileges, of course, but these can often be obtained using a variety of other hacking tools, such as a man in the middle attack.

It gets worse. Even a few years ago, using a Packet Sniffer was a pretty complicated affair. This meant that the technique was confined mainly to professional network engineers. Today, though, anyone can download fully-featured Packet Sniffing software, sometimes even with a graphical interface, and start snooping on network traffic.

This means that Packet Sniffing represents a significant security threat to the average user. Knowing how Packet Sniffing works, and how to protect yourself against it, is, therefore, an essential part of staying safe online.

How Do Packet Sniffers Work?

The first thing to understand is that Packet Sniffers come in a variety of types and forms. In corporate environments, network engineers have a legitimate need to understand the operation of the networks they look after, and they mostly have physical access to network hardware. In this case, Packet Sniffers are generally single-purpose pieces of hardware that are directly installed on network nodes.

Other types of Packet Sniffer are available. Some of the most dangerous types are software-based sniffers that can run on a standard laptop. These make use of the network hardware provided on conventional computers and turn this into a powerful tool for listening in to everything happening on a network.

No matter how they are implemented, all Packet Sniffers work in much the same way. They allow a user (legitimate or not) to ‘see’ network traffic by intercepting the ‘packets’ of data that pass between connected devices. How much of this data can be intercepted, decrypted, read and used depends on the type of network and how the Packet Sniffer is configured.

Packet Sniffers can collect many types of data. A typical sniffer will be able to intercept:

  • The ports being used by each user
  • Web traffic (HTTP, HTTPS)
  • Mail traffic (IMAP, POP3, SMTP)
  • File transfer traffic (FTP, P2P)
  • Infrastructure traffic (DHCP, DNS, ICMP, SNMP)
  • Remote control (RDP, SSH, VNC)
  • Other UDP and TCP traffic

On a wired network, how much of this data can be collected depends on the structure of the network. A Packet Sniffer might have access to the entire network, or only a part of it, depending on how the network switches are placed and configured.

WOn a wireless network, Packet Sniffers typically only have access to one channel at a time. However, there is nothing to stop an engineer (or hacker) from running multiple instances of a Packet Sniffer, and using this technique across many different network cards, to achieve multi-channel capture.

Why Packet Sniffing Is Bad For You

The reason why Packet Sniffing is such a powerful tool for hackers relies on a fundamental feature of the way that the internet works.

To visit a webpage, you will type the URL of the page into your browser, hit enter, and (hopefully!) the page will appear almost instantly. If you know a little about the way that the internet works, you might imagine that your browser has contacted the server that holds the page you want, and asked it to send the whole page to you.

What typically happens is that the server breaks the data you want down into small packets (called TCP packets), and sends them separately. The job of a router, whether this is your router at home or the industrial-sized versions used by internet companies, is to collect all these packets together, and re-assemble them into a webpage. This makes it appear as though the page arrived in one piece.

That might sound relatively simple, but the reality is more complicated. How packets move across the internet (and other networks) is complex and sometimes chaotic. Those annoying ads that you see when you visit your Facebook profile, for instance, typically contain data packets from all over the world. They have been disassembled into packets somewhere far away and sent to Facebook’s servers. When you access your Facebook profile, these servers take them apart again and send them to you. Your router receives these packets, puts them back together, and your device displays the ad.

The problem is that when packets are moving across networks, whether this be the Wi-Fi in your local coffee shop or the vast space of the wider internet, they are susceptible to being captured and read. Whenever a packet passes through a ‘network control point,' it is vulnerable.

Some of these packets, as you might imagine, contain sensitive information that you don't want other people to read. A packet might include a password, the contents of your emails, or even financial information. This means that if someone manages to intercept them using a Packet Sniffer, you are in trouble.

Who Can Use Packet Sniffers?

A good question, and one that has a simple answer: anyone.

In practice, four groups use Packet Sniffers. I've already mentioned one – network engineers – so let's take a look at the other 3. All of them, unfortunately, use Packet Sniffers for something other than their intended purpose.

Government Agencies

Yep. After the Snowden papers and other leaks, it shouldn’t come as a surprise to anyone that the government is using Packet Sniffing to spy on internet traffic. The PRISM program, perhaps the largest mass-surveillance network that we know about, is built around Packet Sniffing.

Specifically, the Snowden papers revealed that for years the National Security Agency (NSA) in the US, in collaboration with partners across the world, has been intercepting packets intended for large internet sites like Facebook, Google, and others. It also included (or still includes) powerful analysis tools like Xkeyscore that allowed agencies to search through the collected packets at a later date.

Businesses

Businesses have stolen secrets from each other since the beginning of time, and the advent of the internet arguably made this easier than ever. Though corporate espionage has not been exposed in the same way as government spying programs, there is no doubt that it occurs, and that it must make use of Packet Sniffers.

Corporate espionage of this type is necessarily a form of corporate-sanctioned hacking and relies on many of the same techniques. Once an attacker has gained access to a corporate network using standard tools such as a man in the middle attack or a phishing scam, they can deploy a Packet Sniffer to intercept and steal packets passing across it.

Advertisers

Because online advertisers are typically paid by the number of their ads that are seen or the number that users click on, Packet Sniffing has become a useful tool for them as well. Advertisers can use Packet Sniffers in a relatively benign way, such as to analyze the behavior of users to gauge their tastes and preferences and work out the best time to show them ads.

Packet Sniffers also permit some more dubious practices. Comcast, for instance, was discovered to be sniffing packets passing across its network to work out the best time to arbitrarily inject ads into third-party webpages. That might also sound pretty benign, but it isn't. By doing this, Comcast were altering content that doesn't belong to them and has nothing to do with its network.

It is also easy to imagine the same tools being used for more nefarious purposes. Online ads are one of the leading sources of malware. By employing the help of Packet Sniffing, ads containing malware can be injected into webpages as they pass through a router controlled by an attacker. A webpage that was safe when it left its original location can arrive riddled with infectious viruses.

Hackers

Packet Sniffers are also a powerful tool for bad guys.

A typical Packet Sniffing attack must start with an attacker gaining access to the target network. This is usually done using a variety of other techniques, such as phishing scams or man in the middle attacks. These can be used on a small scale, such as in a coffee shop, or against much larger networks, such as public Wi-Fi for an airport or even a city. They can even be deployed against hardened networks, with a favorite attack vector being to target employees at banking companies.

A conventional technique used to do this is to set up a fake Wi-Fi network, perhaps using a Wi-Fi Pineapple, and harvest the packets of the victims who have connected to it. Once an attacker has access to a network, they will use a Packet Sniffer to intercept, read, and maybe alter all the traffic passing across it. They can also modify packets passing the other way, back to users, and inject malware into them.

This is not just a theoretical concern. Many attacks that use Packet Sniffing have been spotted ‘in the wild.' The VPNFilter Malware, for instance, infected half a million wireless routers in over 50 countries and included a packet sniffer in its third stage. This malware collected data packets that contained login details and sent these to attackers over an encrypted network.

How to Protect Yourself against Packet Sniffing

If you’ve read this far, you might have started to worry about falling victim to a Packet Sniffing attack. Fear not. We’ve got you covered.

There are, mainly, three ways to stop your packets being intercepted and read by the government, by businesses, and by hackers. These are to use HTTPS instead of standard HTTP, to use a VPN, and (if all else fails) to avoid using websites that open you up to vulnerabilities simply. Let's look at each of these techniques in turn.

Always use HTTPS

If you already know the difference between HTTP and HTTPS, skip to the next section.

Still with me? Ok: there are two main types of protocol that your devices use to communicate with web pages. The older and less secure way is HTTP. The newer, much better, and much more secure approach is HTTPS. The ‘S' stands for secure because HTTPS encrypts the packets that you exchange with websites.

You can see whether you are connected through HTTPS, rather than HTTP, in your browser. The address of the website you are on should start https://, and on most browsers, there is a little green padlock displayed when you are using this kind of connection.

It's common knowledge by now that entering information into websites not secured with HTTPS is insecure, dangerous, and pretty stupid. Despite this, many websites do not use a more secure protocol. Even on those that do, there are often two versions of the same site: one using HTTP, and the other using HTTPS.

Here's the most important point: any packets you send (or receive) over an HTTP connection can be read because they aren't encrypted. This includes not only your passwords and other authentication details but everything you do online.

It would help if you always used HTTPS when it is available.

The simplest way to do this is to stay vigilant. Always look out for that small green lock symbol. If it is not there, you can try and force the website you are on to use HTTPS by changing the URL from HTTP:// to https://. If that doesn't work, the site doesn't offer a secure connection. Get out of there.

There are also many tools you can download that will automate this process for you. Browser plugins like HTTPS Everywhere, which is available for Chrome, Firefox, and Opera, will force your devices to connect via HTTPS where it is available and tell you if it isn't.

What HTTPS Protects, and What it Doesn’t

Using HTTPS is a great start when it comes to protecting yourself against Packet Sniffing attacks, but it still leaves some information unencrypted, and this can again expose you to hackers.

Specifically, when you type a URL into your browser, a server has to convert this into a machine-readable code called an IP. This tells it where to find the page you are looking for. This process, called a DNS lookup, can be used as an attack vector in itself, as we explained in our DNS Spoofing guide.

In any case, even when using HTTPS, your DNS lookup is visible to anyone using a Packet Sniffer on your network. After you've logged in to Facebook, to take an example, all of your packets will be encrypted using HTTPS, and will (typically) be unreadable for an attacker. The problem is that the fact that you've visited Facebook will be visible.

This kind of information – the websites and systems you use online – is called meta-data. Though it might seem worthless to an attacker, it is not. Meta-data is, in fact, the primary target of government-sanctioned spying programs, and is also invaluable to hackers. This is because it can allow bad guys to build a profile of your online activity.

This is particularly valuable for targeting future attacks because an attacker can see who has access to a target network (such as in a bank, for instance), and then target them with phishing scams or man in the middle attacks.

Always Use A VPN

The best way to prevent your packets being intercepted is to use a Virtual Private Network (VPN).VPNs work by creating an encrypted ‘tunnel' between your devices and the websites you visit. The best VPNs use military-grade encryption protocols that ensure that no-one, not even the government, can read the packets you send and receive.

Not only does this protect you against Packet Sniffing, but it also limits your vulnerability to many other forms of attack, and (even better) keeps you anonymous online.

The reason why VPNs provide better protection against standard HTTPS when it comes to packet sniffing is that they encrypt everything. This includes, importantly, the DNS lookup that your device (or router) performs when you visit a website. If an attacker is using a Packet Sniffer to snoop on the network you are connected to, all they will see in your packets is encrypted gibberish.

Secure Your WiFi With PureVPN 31-day money-back guarantee

Ultimately, this means that not only is the information you exchange with the internet secure, so is information about what sites you visit, and what systems you have access to. Because a VPN hides all your activity, you are less likely to be a target of phishing scams and other forms of attack, and you are also better protected against them.

The only person who can see your DNS records will be your VPN provider. For this reason, you need to use a VPN that you trust, and specifically one that does not log your activity.

If All Else Fails

There will be times, of course, when you need to use a website that doesn’t offer HTTPS. There might be times when you don’t have access to your VPN. There might even (ugh) be times when you have to log into a website that only has HTTP, without a VPN, on an unsecured (or at least insecure) Wi-Fi network.

The best solution when connecting like this is simple: don’t do it.

Seriously, don’t do it.

If you absolutely, positively, have to do this, there are some ways of avoiding falling victim to Packet Sniffers. These are easy enough to remember if you also remember a simple rule: everything you do on networks like this is potentially visible to everyone.

Think of it like this: would you feel comfortable walking around with a sign around your neck that gave everyone your Facebook password? No? Then don’t use Facebook on insecure networks.

More practically, if you have to use networks like this, and for some reason, you don't have a VPN installed, you should sign out of all the accounts you care about. You should also avoid filling information into online forms, using email, or sending personal messages. In short, reading the news is fine; everything else isn't.



This might all sound a bit paranoid. Who cares, after all, if the world knows that you like to visit a particular website?

You might think, as many people do, that you have nothing to hide, and that therefore you don't need to encrypt the packets you send and receive. No offense, but an opinion like that shows a massive amount of ignorance about the level of threat that we all face online.

You might not mind if the government knows the sites you visit, but you should care about hackers knowing this. Also, unfortunately, there is no way of hiding your data from criminals while also allowing your government to read it.

Luckily, by now you know some easy ways to protect yourself against Packet Sniffing. Always use HTTPS where possible, and always use a VPN. This will prevent your packets being ‘sniffed,’ stop them from being altered and ultimately preserve your privacy and anonymity in everything you do online.


FAQs

Is Packet Sniffing illegal?

Good question, and one that doesn’t have an easy answer.

You can undoubtedly use a Packet Sniffer on a network that you own, such as your home Wi-Fi network. Doing this is a pretty fun and educational way to learn about how Packet Sniffers work, and how to limit your vulnerability to them.

If you’re thinking about using a Packet Sniffer on a public network, the best advice is not to.

Whether doing that would be technically illegal is a more difficult question. For a start, it depends on what country you are in. Second, the law in many countries hasn't caught up with the internet age.

In the US, for instance, listening in to telephone lines and radio frequencies is prohibited explicitly by law. Presumably, this also extends to sniffing packets that contain ‘telephone' conversations over the internet, but who knows.

In short, it’s probably best to avoid using a Packet Sniffer on any network other than your own.

What software tools are commonly used in Packet Sniffing?

One of the scariest things about Packet Sniffing is that almost anyone can do it. A decade ago, Packet Sniffing was a pretty boring admin tool for network engineers and was primarily used to optimize corporate networks.

Whether doing that would be technically illegal is a more difficult question. For a start, it depends on what country you are in. Second, the law in many countries hasn't caught up with the internet age.

Today, there are plenty of Packet Sniffers available online for free. Many of these tools have been built by the community, and are available as open-source software, meaning that everyone can contribute to improving them. Some even include sophisticated graphical front-ends that allow even the least techy person to perform complex Packet Sniffing attacks.

Perhaps the most popular Packet Sniffer is Wireshark, which was previously known as Ethereal, though there are plenty of other options available.

Is Using A VPN Illegal?

Again, probably not, though it depends where you are.

In the vast majority of countries, using a VPN is perfectly legal, and even recommended if you are working with critical or sensitive information. Many large companies use VPNs to provide an encrypted connection for employees working remotely.

This question still comes up pretty often, in any case. The reason is that in years past many hackers and other criminals used VPNs, and so using a VPN gained an association with illegal activity. Today, VPNs are used for precisely the same reasons that hackers used them in the past: they provide a secure, anonymous, encrypted connection for all your data.

That being said, if you are traveling it is worth checking if the country you are in allows you to use your VPN: it is better to be safe than sorry.


Here are some more guides on WiFi Threats:

Take a look at our other guides to ensure you can spot other types of attack.