Analysing Various Packet Sniffing Tools

International Journal of Electrical Electronics & Computer Science Engineering Volume 1, Issue 5 (October 2014), ISSN : 2348 2273 Available Online at www.ijeecse.com

Inderjit Kaur1, Harkarandeep Kaur2, Er. Gurjot Singh3 1, 2Post Graduate, Department of Computer Science and Applications, KMV, Jalandhar, Punjab, India 3Assistant Professor, Department of Computer Science and Applications, KMV, Jalandhar, Punjab, India [email protected], [email protected], [email protected]

Abstract: Packet sniffing is a technique of monitoring every packet on network. With the development and popularization of IP and network technology, it is essential to secure the network Network MAC Packet technology becoming very essential because of the cyber attacks. Traffic address Scanner We need to protection from unauthorized access and from Information hackers. Packet Sniffing is important in network monitoring to troubleshooting and to log network. Packet Sniffers are important for analysing over wire and wireless network. In this Fig.1: Packet sniffer Paper, we focus on the basics of Packet Sniffing tools, how they work and their comparative study. Fig.1 shows that with the help of ip and Mac address, we can gather the information of network traffic by using any Keyword: Packet Sniffer, Wireshark, Tcpdump, Nmap, Zenmap, packet scanner. Kismet, Caspa, Ntop, Dsniff, Cain and Abel, Etherape, Ethereal. II. NETWORK MONITORING TOOLS I. INTRODUCTION Packet Sniffing is a methodology of monitoring every The packet sniffing tools analyse and filter the packets packet, which passes through the network. A packet sniffer transmitted in the network. There are many packet sniffing can be a piece of software or hardware that examines all tools. Some of them are as described as follows:- network traffic. The security threat showed by sniffers is A. Wireshark: Wireshark is an open source packet filter. It their ability to capture all incoming and outgoing traffic, is used for analyse the network traffic. Wireshark sees all including clear-text passwords and usernames or other traffic visible on that interface, not just traffic addressed to sensitive material [1]. There are so many commercial and one of the interface’s configured addresses and non commercial tools are available that makes possible broadcast/multicast traffic. Wireshark is a tool that eavesdropping of network traffic [2]. In this paper we “understands” the structure of different networking present practical approach to sniffing packets with some protocols [3].Wireshark has the ability to capture all of tools. This paper analyses the procedure of packet sniffing those packets that are sent and received on the network and and packet logging. it can decode them for analysis. When you do anything on A. Working: When a computer sends a data to the network, the Internet, such as browse websites, use VoIP, IRC etc, it sends in the form of packets. These packets are the and the data is always converted into packets when it blocks of data that are actually directed to the certain passes through your network interface or your LAN card. deputed system. Every sent data has its receiving point. So, Wireshark will hunt for those packets in your TCP/ IP layer all the data are directly handled by specific computer. A during the transmission and it will keep, and present this system reads and receives only that data which is intended data, on GUI [4]. for it. The packet sniffing process involves a collaborate B. TCPDUMP: Tcpdump is a packet filter that runs on the effort between the software and the hardware. This process command line interface. It displays TCP/IP and other is broken down into three steps. packets being transmitted or received over a network to 1. Packet sniffer collects raw binary data from the wire. which the computer is attached. Tcpdump run on the Unix- Normally this is done by switching the selected network like operating systems: Linux, Solaris, BSD and Mac OS. Interface into unrestrained mode. Tcpdump analyses network behaviour, performance and applications that generate or receive network traffic [1]. 2. The collected binary data is converted into readable TCPDUMP can do so many works like; TCPDUMP views form. the entire data portion of an Ethernet frame or other link layer protocol. TCPDUMP analyses and filter the IP packet 3. The packet sniffer collected all data, verifies its protocol and ARP packets or any protocol at a higher layer than and begins its analysis [1]. Ethernet. C. Nmap: Nmap stands for network mapper. Nmap is an open source tool used to explore and audit the network. It can determine what hosts are available on the network, what services are enabled , operating system and the

International Journal of Electrical Electronics & Computer Science Engineering Volume 1, Issue 5 (October 2014), ISSN : 2348 2273 Available Online at www.ijeecse.com

version of the host ,what type of firewalls are in place and well as detect network intrusions. Kismet runs on GUI many other aspects of the network using raw ip packets. mode so it becomes very easy to use Kismet [8]. Nmap is a command line tool. It can also be used by attackers to scan a network in order to harm it [5] F. CASPA: CASPA runs on graphical user interface. It assists the user in the specification and in the analysis of NMAP can perform different types of scans such as: cryptographic protocols. CASPA provides an editor for protocol specifications and offers a quick loading  Connect procedure for the protocols specified in underlying protocol libraries, and a convenient parsing procedure for user-  SYN Stealth defined protocol specifications. It gives us, the tool features  FIN, Xmas, Null of a graph management. This automatically generates and displays graphs. CASPA gives us a fully mechanized  Ping analyser that verifies secrecy and authenticity properties on a given graph and displays the results. More precisely,  UDP Scan CASPA allows for analysing the security properties secrecy, weak authenticity, and strong authenticity [9].  IP Protocol Scan G. Ntop: Ntop is a network traffic tool that tells us about  ACK Scan the usage of the current network .using ntop helps us to  Window Scan better understand the status of the network. It displays a list of hosts that are currently using the network and shows  RPC Scan information concerning the IP and Fiber Channel (FC) traffic generated by each host. NTOP is available for  List Scan both UNIX as well as Win32-based platform.  FTP Bounce NTOP supports the following protocols:

 TCP / UDP / ICMP

D. Zenmap: Zenmap is a tool which is similar to nmap. It is  (R)ARP an open source tool and easy to use as compared to nmap because it is based on graphical user interface. The main  IPX difference between the nmap and zenmap is that nmap is command line and zenmap is GUI.  DLC Features of zenmap are as follows:  APPLE TALK a) Based on graphical user interface (GUI).  IPV4 / IPV6 b) Identifies the hosts on the network.  NETBIOS c) Identifies the operating system.  AND MANY MORE [10]. d) Easy to use as compared to nmap[6] The main thing about Zenmap is that it stores and sorts all H. Dsniff: DSNIFF is as password sniffer and a network the information gathered from any scans performed and traffic analysis tool. it can handle various protocols such as allows us to build up a picture of our network. The easiest : FTP,SMTP,NNTP,HTTP,POP etc. It automatically thing to do is a Ping scan to see what devices are alive on detects each application protocol. Basically Dsniff is a our network [7]. collaboration of tools for auditing the network and penetration testing. This tool can be used for passive E. Kismet: Kismet is application is an open source wireless monitoring a network. it is a network sniffer but can also network analyser that run on Linux, UNIX and Mac OS X. be used to disrupt the behaviour of switched network [11]. It is not run on windows OS. Kismet is passive sniffer used to detect any wireless 802.11a/b/g protocol complaint I. Cain and abel: Cain and Abel is basically a password network, even when the network has a non broadcasting recovery tool for MS-OS. It helps us to recover the hidden secure service set identifier. Kismet detects, log the passwords by sniffing the network. It can also crack IP range of any detected wireless network and reports it encrypted passwords with the help of cryptanalysis attack, signal and noise levels. It can sniff all data packet from brute force attack etc. it is a powerful tool which deals with detected network. Kismet can be used to troubleshoot and tough decryption algorithms. The latest version of this tool optimize signals strength for access points and clients, as includes the features of ARP and man in middle attack. This tool can also capture and monitor the network traffic. 66

International Journal of Electrical Electronics & Computer Science Engineering Volume 1, Issue 5 (October 2014), ISSN : 2348 2273 Available Online at www.ijeecse.com

Features:

 It is capable for WEP cracking.

 It has the capability to record VoIP conversations

 It can do ARP spoofing.

 It can reveal the password boxes.

 It has the ability to crack SHA hashes.

 This tool is free to use [12]. J. Etherape: Etherape is packet filter tool which can also analyse the traffic. It was developed to use for UNIX. Etherape is free and open source software developed under GNU (General Public License). It displays the network traffic graphically. It shows us the colour-coded nodes and links with most used protocols. Traffic can be analyse end to end (IP) or port to port (TCP). It shows so many types of packets. Data view can be manipulated through a network filter. When we click on the node or link, it provides us the additional knowledge about protocols and network traffic. Fig.2.NMAP We can read the traffic from a file or on actual network. It handles the traffic on Ethernet, WLAN, VLAN and all B. Zenmap: other media. It supports both versions of internet protocols i.e. IPv4 and IPv6 [13]. K. EHTEREAL: Ethereal is a tool which is open source and is used to analyse the network traffic. It can also be called as packet sniffer. Ethereal is the original or real name of the wireshark tool [14].This tool is basically used to track and manage the network problems. Ethereal can run on different OS such as UNIX and windows. It can support more than 770 protocols. Disadvantage of this tool is that it cannot detect/troubleshoot the network problems. This tool is useful when we want to detect intrusion attempts. This tool is user friendly i.e. users can modify it according to their needs. Packets can be filtered after the capturing. Ethereal can be used in PPP, token ring, Ethernet etc [15].

III. ANALYSIS AND DISCUSSION In this section, we analyse network monitoring tools and how they sniff the packets in particular network. We work on monitoring tools like Wireshark, Nmap, Zenmap, Ethereal, and Etherape. A. NMAP: Nmap is a network mapper tool. It shows us the detail of a particular domain name and different ip addresses. We analyse the domain of google.com in the fig.2 and it shows Fig.3 Zenmap the ip addresses of the domain google.com, open port. The command used is nmap –v –A www.google.com that run Zenmap is graphical interface of Nmap. It shows us the on terminal in Ubuntu O.S. details of open ports as well as close ports of a particular IP address. Zenmap was executed and tested with an ip

address (192.168.0.74) and the list of open and closed ports were generated. The snapshot for the same is shown in fig 3.

International Journal of Electrical Electronics & Computer Science Engineering Volume 1, Issue 5 (October 2014), ISSN : 2348 2273 Available Online at www.ijeecse.com

Table1. Analyzing different network monitoring tools Wireshark is used to analyse the network traffic. It tells us about the source of the packet, its destination, protocol User Tool’s Software Operating type, length, time .The above fig. 4 shows the result of Founder interfac Name license System e network traffic filtered as per tcp.

Cross The following table1 shows the information about the Wireshark Gerald Combs GUI Free platform various packet sniffing tools like their founder, about the user interface and operating system on which they easily Van Jacobson Unix Tcpdump CLI Free execute. and team bases

GNU (general Cross Wireshark is cross-platform, using the GTK+ widget Nmap Gordon Lyon CLI public ) platform toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating GNU (general Cross Zenmap Zenmap Team GUI systems including Linux, Mac OS X, BSD, and Solaris, public) platform and on Microsoft Windows. Mike Kershaw Cross Kismet GUI GPL (dragom) platform IV. CONCLUSION

Caspa Colasoft LLC GUI Proprietary Microsoft In this paper we analyse various packet sniffing tools that monitor network traffic transmitted between legitimate Cross Ntop Luca deri GUI GPLv3 users or in the network. The packet sniffer is network platform monitoring tool. It is opted for network monitoring, traffic UNIX analysis, troubleshooting, penetration testing and many Dsniff Dug Song CLI BSD based other purposes. There are many tools which are used for network traffic sniffing but there are some limitations Cain and Massimiliano GUI Freeware Windows Abel Montoro regarding these packet sniffing tools i.e. some tools are only used for packet capturing without any kind of UNIX Etherape Juan Toledo GUI open analysing them. Therefore we need some another tools. based Some tools trace IP packets and some tools only capture Unix TCP packets. At the end, we concluded that with these Ethereal Gerald Combs CLI Both based tools, we can do intrusion detection and penetration testing against particular network. C. Wireshark V. REFERENCES [1 Pallavi Asrodia\* and Hemlata Patel, “Analysis of Various Packet Sniffing Tools for Network Monitoring and Analysis”, International Journal of Electrical, Electronics and Computer Engineering vol.1 no.1 pp. 55-58(2012). [2] Rupam, Atul Verma and Ankita Singh,” An Approach to Detect Packets Using Packet Sniffing”, International Journal of Computer Science & Engineering Survey (IJCSES) Vol.4, No.3, June 2013. [3] Borja Merino Febrero, “TRAFFIC ANALYSIS WITH WIRESHARK INTECO-CERT”,Instituto Nacional de Tecnologias de la Comunicacion, February 2011. [4] Wolf-Bastian P¨ottner, and Lars Wolf, “IEEE 802.15.4 packet analysis with Wireshark and off-the-shelf hardware”, Institute of Operating Systems and Computer Networks, Technische Universit¨at Braunschweig, Germany. [5] Ekhator Stephen Aimuanmwosa,” Evaluating Kismet and NetStumbler as Network Security Tools & Solutions”, Blekinge Institute of Technology January Fig.4 Capturing tcp packets 2010.

International Journal of Electrical Electronics & Computer Science Engineering Volume 1, Issue 5 (October 2014), ISSN : 2348 2273 Available Online at www.ijeecse.com

[6] Michael Backes, Stefan Lorenz, Matteo Maffei, and Kim Pecina Saarland University, Saarbrucken, Germany MPI-SWS, “The CASPA Tool: Causality- based Abstraction for Security Protocol Analysis (Tool Paper)”.

[7] Luca Deri and Stefano Suin,” Practical Network Security: Experiences with ntop”.