[Simple] In a local area network, security issues should be paid attention to. When plain text data is transmitted on the network, any network users will easily steal this information. Sniffing is called Sniffing on the network. By sniffing the network, a user can obtain access to the top secret document, spying to anyone's privacy. There are many freely distributed sniffer software on the Internet to achieve the above purposes. Although the network sniffing is very easy, but there is no good way to detect this malicious behavior. This article will explain the detection mechanism used by Promiscan (a software that can effectively detect the network sniffer). In order to intercept all the packets on the network, the sniffer must be set to a mixed mode (ProMiscuous mode). Next, the NIC can accept all the packets on the network and send it to the system kernel. Address Resolution Protocol, ARP request message to query the resolution of the hardware address to the IP address. We will use this type of group to check if the network is set to a mixed mode (Promiscuous Mode). The reason why the ARP request group use is because it applies to all Ethernet-based IPv4 protocols. Under the proping mode, the NIC does not block the destination address is not his own group, but is full, and transfer it to the system kernel. Then, the system core will return a message containing the error message. Based on this mechanism, we can assume that some ARP request packets are sent to each node on the network. No network cards in a mixed mode will block these packets, but if some nodes respond, it means that the NIC is in a mixed mode. under. These nodes in which these mixed modes may run the sniffer program. This can successfully detect the sniffer program running on the network.
in
In the LAN, sniffing behavior has become a network
A huge threat to safety. Smelling through the network, some malicious users can easily steal the top secret documents and anyone's privacy. It is very easy to achieve the above objectives, and malicious users as long as they are from the network.
Download the sniffer and safe to your computer. However, there is no good way to detect the sniffer program on the network. This article discusses the use of address resolution protocol packets to effectively detect office networks and sniffer procedures on campus online.
3. The principle of network sniffing
LAN usually uses Ethernet to connect. The information transmitted by the IP (IPv4) protocol transmitted on the Ethernet cable is explicitly transmitted unless encrypted the encryption program. When a person sends information to the network, he wants to only receive this information only if a particular user can receive it. However, very unfortunately, the work mechanism of Ethernet provides non-verified users to steal these data. When the Ethernet is transmitted, the packet is sent to each network node, and the node that matches the destination address will receive these packets, and other network nodes are only simple to discard. Receive or discard these packets are controlled by Ethernet card. When receiving the packet, the NIC will filter out the destination address is your packet reception, not the single collection. Some of this article will refer to this filter of the NIC
Hardware Filter. But this is just in normal cases, the sniffer uses another way of working, which sets its own NIC to receive all network packets, regardless of whether the destination address of the group is yourself. This network card mode is called a mixed mode.
3. Detect the basic concept of mixed mode
In the network, the sniffer receives all packets without sending any illegal packets. It does not hinder the flow of network data, so it is difficult to detect it. However, the state is in promiscuous mode (promiscuous mode) network card and it is clear that in the normal mode under different. In mixed mode, the group text that should be filtered out of the hardware will enter the system's kernel. Whether to respond to this group full dependence and kernel.
Let's take an example in the real world to illustrate how we detect methods in mixed mode network nodes. Imagine a meeting in a conference room. Some person places the ear in the conference room to eavesdrop (sniff ^ _ ^). When she (still a woman, the original: P), when she is eavesdropped (sniff), she will hold breathing and quietly listen to all the speeches in the conference room. However, if someone in the conference room suddenly called the name of the eavesdropper: "XX Mrs.", she may promise "唉". This sounds a bit funny, but it can be used in the detection of network sniffing behavior. The network is a network sniffing node receives all packets of the network, so its kernel may make an error response to some of the packets that are hardware filtered. According to this principle, we can detect the sniff behavior of the network by checking the response of the ARP packet. 4. Foundation
1). Hardware filter
First, we don't have the same starting from the promiscuous mode. The Ethernet address is 6 bytes, and the manufacturer is allocated to each network card in the world, so there is no network card with the same address. All communications on Ethernet are based on this hardware address. However, the NIC can be set to different filtration mode to receive different types of packets. Below is the filter mode of the Ethernet card:
Unicast
NIC receives all destination addresses is your own group
Broadcast
Receive all broadcast packets, the destination address of the Ethernet broadcast packet is fffffffffff. This broadcast packet can reach all nodes on the network.
Multicast
The receiving destination address is a packet for specifying multi-picked submittings. The network card only receives the group that has been registered in the multi-entry list.
All Multicast
Receive all multi-point submit broadcast broadcast packets.
Promiscuous
Do not check the destination address, receive all the packets on the network.
Figure -1 depicts the hardware filter in normal conditions and in a mixed mode. Typically, the hardware filter of the NIC is set to receive a packet for unicast, broadcast (Broadcast), broadcast (Broadcast), multicast address 1. The filter only receives the packet of the destination address, the broadcast address (FF FF FF FF), and the multi-entry address 1 (01 00 5E 00 00 01).
2) .arp mechanism
The IP network connected to the Ethernet needs to rely on Ethernet to transmit. Only the IP address is used, the message cannot be sent. Therefore, a mechanism is required on Ethernet to provide a conversion between IP addresses and hardware addresses. This mechanism is the address analysis protocol (Address Resolution Protocol). ARP is a network layer, and the IP is in the same layer of the OSI model. The address resolution on IP network is continuously carried out, so ARP packets are more suitable for detecting network nodes in a hybrid mode (Promiscuous mode).
In the following example, we will tell how the use of ARP packets analyze the IP address:
For example: PC (X) Ethernet address on the network is 192.168.1.1 is 00-00-00-00-00-01, this PC (X) needs to be another IP address to another IP address to 192.168 .1.10 PC (Y) sends a message. Before sending, X first issues an ARP request packet to query the Ethernet address corresponding to the 192.168.1.10. The destination address of the query package is set to FF-FF-FF-FF-FF-FF (broadcast), so that all nodes on the local network can receive this package. After receiving, each node checks the IP address of this ARP package and whether the IP address of this unit matches. If you do different, you ignore this ARP package; if you match (Y), you will send an answer to the x. X After receiving the response, the IP / hardware address of the cache Y is. Then X can send the actual data to Y.
5. Detect nodes in mixed mode
Hereinafter, the filtered state of the packet is the difference between mixed mode status and normal network node. When the network card is set to a mixed mode, the file that is filtered will enter the system's kernel. With this mechanism, we can detect nodes in a mixed mode on the network: We construct an ARP query package, its destination address is not a broadcast address, then send this ARP query package to each node on the network, and finally respond through each node To determine if it is in a mixed mode. Let's discuss the operation of the entire ARP request / response. First, an ARP query package is generated to resolve the hardware address of 192.168.1.10. In order for all nodes on the network to receive this query package, set the destination address of this package to the broadcast address. In theory, only the IP address of 192.168.1.10 can respond to this query package.
Further imagine that if we set the destination address (Ethernet address) of this query package to another address, how will it be the original broadcast address? For example: What happens to the destination address of the query package to 00-00-00-00-00-01? The Ethernet card of the network node in normal mode will think that this query package is sent to other hosts, and its hardware filter will refuse to receive this package; however, if this network node (192.168.1.10) Ethernet card is in mixed mode (Promiscuous Under the Mode, even if the Ethernet address does not match, the hardware filter does not perform any filtration, so that this query package can enter the system's kernel. Because the IP address of this node is the same as the Query IP address, its kernel will think that the ARP query package arrives and should make a response. However, we are surprised that this kernel in the mixed mode node does not answer the ARPR query package. This unexpected results indicate that this package is filtered by the system core. Here we call this
Software filter.
Further, we can detect a network node in which a mixed mode is detected by distinguishing a different feature of the hardware filter and software filters. Hardware filters typically block all invalid packets (these packets obviously do not enter the system kernel), so they can generally pass through the software filter through the hardware filter, which is not much discussed. Now that we need to be constructed to be blocked by the hardware filter, but can pass through the software filters. If this message is sent to each network node, the network node in normal mode will not respond; and the node in the mixed mode will respond.
6.
Software filter
The software filter depends on how the operating system is, it is necessary to understand how the system kernel software filter works. Linux is an open source system system, so we can get its software filtering mechanism. But for Micro $ OFT Windows, we only guess the experience :(.
1) .linux
In Linux's Ethernet drive module, the packet is
Hardware address classification.
Broadcaster
FF FF FF FF FF
Multi-point packet
All packets have a set of group logo, which does not include a broadcast packet.
TO_US group
The destination address and the same packets as this network card.
OtherHost group
All destination addresses and different packets of this unit network card.
Now, we assume that all packets with group logo are broadcast packets. The destination address of the Ethernet multi-entry packet corresponding to the IP network is 01-00-5e-xx-xx-xx, and the multi-entry packet cannot be classified by the check group flag. This assumption is not wrong because 01-00-5e-xx-xx-xx is an IP-based multi-cast address, but the NIC hardware addresses are also used for other high-level protocols.
Below, let's take a look at the code of the ARP module.
IF (in_dev == null
ARP-> Ar_hln! = dev-> addr_len ''
Dev-> flags & iff_noarp
SKB-> PKT_TYPE == Packet_otherhostskb-> pkt_type == packet_loopback
ARP-> Ar_PLN! = 4)
Goto Out;
The ARP module of the Linux kernel rejects all OtherHost types. Next, the ARP module will process the broadcast, multi-cast, and the TO_US type grouping. Table 1 Integrated hardware filters and software filters Filtering processes for various ARP packets, 1 Description: HW (Hardware), SW (Software), Res. (Response), GR (Group).
Next, we will describe the packet of this six hardware address:
TO_US
NIC is in normal mode, all addresses of TO_US can via thin filters and software filters. Therefore, the ARP module responds to whether the network card is in a mixed mode (Promiscuous mode).
Otherhost
When the NIC is in normal mode, all addresses will be packets for OtherHost. Even if the NIC is in a mixed mode, this group cannot pass software filters, so this ARP request will not receive a response.
Broar
DCAST
In normal mode, the Broardcast group can also be able to pass hardware and software filters, so it cannot be used for detection of network node mixed mode.
Multicast
In normal mode, if the hardware address of the packet is not registered in the multi-input address list, the NIC will refuse to receive; however, if the network card is in a mixed mode, this group will unobiliate through the hardware filter and software filter. Therefore, this type of packet can be used to detect the network node in the mixed mode.
GROUP bit
This type of packet is neither a brodcast type or a multicast type, but its hardware address is set (the first one of the first-character sequence of the Ethernet address) is set: 01-00-00-00-00 -00. In normal mode, the NIC refuses to receive such grouping; however, in mixed mode, this type of packet can pass through the hardware filter. In the Linux kernel, this type of grouping is classified as multifunction packets, and can pass through the software filter. Therefore, this type of packet can also be used for hybrid mode detection.
2) .micro $ OFT Windows
The Windows system is not an open source system, so its software filtering behavior cannot be analyzed from the source code. I have to test by experiments. In the experiment, we used the following hardware addresses:
FF-FF-FF-FF-FF-FF Broadcast Address
All network nodes receive this packet. The usual ARP query package uses this address.
FF-FF-FF-FF-FF-FE pseudo-demand address
The FF-FF-FF-FF-FF-FE is a pseudo-demand address that is lost. This address is used to check if the software filter checks all address bits, whether to answer.
FF-FF-00-00-00-00-00 16-bit Broadcast Address
FF-FF-00-00-00-00 is only the same as the top 16 and the real broadcast address. If the filter function only tests the first word of the broadcast address, this address can be classified into the broadcast address.
FF-00-00-00-00-00 8-bit Broadcast Address
This address only has the same first 8 bit and broadcast addresses, if the filter function only checks the first byte of the broadcast address, it can also be classified into the broadcast address class.
01-00-00-00-00 More gong marker set address
This address only has a multi-entry marking bit (the first-sequence low sequence bit of the Ethernet address) is set, and it is used to check if the filter function is also like Linux as a multi-cast address.
01-00-5e-00-00-00 More in the address 0
Multi-point address 0 is not common, so we use this address as a multi-cast address that is not registered in the NIC multi-cast address list. Under normal circumstances, the hardware filter should refuse to receive this group. However, if the software filter cannot check all of the address bits, this type of packet may be classified to a multi-cast address. Therefore, if the network card is in a mixed mode, the kernel will respond. 01-00-5e-00-00-01 multi-cast address 1
All network nodes on the LAN should receive a multi-cast address 1 type group. In other words, the hardware filter allows this type of packet by default. However, you can not support multi-entry mode because the NIC does not support multi-entry mode. Therefore, this type of packet can be used to check if the host supports multi-cast address.
Even if the result:
Test results for these seven types of addresses are shown in Table 2. Test is for Windows85 / 98 / ME / 2000 and Linux. If you do not, the NIC is in normal mode, the kernel will respond to the grouping of all addresses and multi-cast address 1.
However, when the network card is in a mixed mode, the test results of each operating system are not the same. Windows95 / 98 / me will respond to groups of 31,16,8 bits. Therefore, we can think that the software filter for the Window9x Series operating system only determines whether the packet address is a broadcast address by detecting one bit.
The Windows 2000 responds to groups of addresses of 31,16 bits. Therefore, we can think of the 8 bits of the Windowsy2k check the address to determine if the packet address is a broadcast address.
The Linux kernel responds to all seven addresses of addresses.
