Monte Ming Author
Network monitors have always been a relatively sensitive topic in network security. As a more mature technology, listens to an irreplaceable role in assisting network administrators monitoring network transmission data, excluding network failure, so that they have been subject to The favor of network administrators. However, on the other hand, online security has brought great hidden dangers to Ethernet security. Many network invasions often accompany the online monitoring behavior of the Ethernet, thereby causing password stolen, sensitive data being intercepted, etc. event.
Network monitors have attracted people in the field of security to pay attention to in 1994. In February, in that year, several large security incidents have occurred, and an unknown person is installed on many hosts and backbone network devices. Online monitoring software, using it to steal more than 100,000 valid usernames and passwords for the US backbone Internet and military network. The above incident may be the earliest online monitoring event on the Internet, which makes early network monitoring from "underground" to open, and quickly popular in the public.
About online monitors often have some interesting questions, such as: "I have a computer that is in the online online, I also have the eavesdropped software, then I can hear Microsoft (or the US Department of Defense, Sina.com, etc.) Password?
Another example: I am a company's local area network administrator. I know that HUB is very unsafe. Use Hub's network structure to connect the company's calculations to each other, making network monitors very easy, then we will change the HUB, use Don't you solve the security problem of password stolen?
This is two very interesting questions. We don't answer first here. I believe that readers will have their own correct answers after reading full text.
Some basic concepts:
First, we know that a computer connected in the Ethernet in order to communicate with other hosts, on the hardware, the network card is needed, and the network card driver is required on the software. Each network card has a unique hardware address that does not repeat any of the world's network cards in the world, called a MAC address. At the same time, when two hosts in the network are implemented in TCP / IP communication, the NIC must also bind a unique IP address. Let's take a look at the author's normal work of the machine with a common UNIX command ifconfig.
[yiming @ Server / root] # ifconfig -ahme0: Flags = 863 MTU 1500inet 192.168.1.35 Netmask fffe0 Ether 8: 0: 20: C8: Fe: 15
From the output of this command we can see these concepts, such as 192.168.1.35 of the second line is an IP address, 8: 0: 20: 20: C8: Fe: 15 is the MAC address. Please note the first line of Broadcast, Multicast, what does this mean? In general, the NIC has several states of receiving data frames, such as Unicast, Broadcast, Multicast, Promiscuous, etc., Unicast refers to the data frame of the network card when the network is working is the local hardware address. Broadcast refers to a data frame that receives all types of broadcast messages. Multicast refers to receiving a specific multicast. Promiscuous is usually a mixed mode that refers to the working modes that do not add any inspections in the packet, all received. Take a look at these concepts, see the above command output, we can see that the normal network card should just receive data packets, broadcast and multicast, broadcast, broadcast, and multicast, please remember this concept.
For network users, browse the web, send and receive mail, etc. is very common, very simple work, in fact, these work in the background is achieved by the TCP / IP protocol family, you know that there are two major network systems: OSI reference Models and TCP / IP reference models, the OSI model is the usual 7-layer protocol, which is a physical layer, a data link layer, a network layer, a transport layer, a session layer, a network layer, an application layer, and TCP. After the / IP model removes the session layer and the representation layer, the rest of the 5th floor constitutes the basis of the Internet, and works silently in the background of the network. Below we may wish to see the process of sending data in the local area network from the perspective of the TCP / IP model: When the data is passed from the top of the application layer, the IP datagram is formed on the network layer, and then the data link layer is reached downward. The IP datagram is divided into data frames by the data link layer, increasing the Ethernet cladding head, and then transmits the next layer. It should be noted that the MAC address of the Ethernet includes the MAC address of the unit and target device, that is, when the data frame of the link layer is transmitted, it is confirmed by the Ethernet address of 48bits rather than the IP address. The NIC device driver will not care about the IP address in the IP datagram, which is only the MAC address.
How is the MAC address of the target IP? The sender host sends a Ethernet data frame (called ARP packet) containing the IP address of the destination to Ethernet, and desires the destination host to reply, so that the MAC address corresponding to the destination host, and will The MAC address is stored in a ARP cache.
When the host in the domain network is connected by HUB, it is generally referred to as a shared connection. This shared connection has a significant feature: HUB will receive all the data received to each of the HUB. Port forwarding, that is, when the host is transmitted according to the MAC address, although the sender host informed the address of the target host, this does not mean that other hosts within a network cannot hear the sending end and receiving ends. Communication is just that other hosts will ignore these communications messages under normal conditions! If these hosts are unwilling to ignore these messages, the NIC is set to the promiscuous state, then, for the network interface of this host, any information transmitted in this LAN can be heard.
example:
We may wish to take an example to see: We now have a, b two hosts, connected in an Ethernet through Hub, now a user on the machine wants to access the WWW service provided by the B-machine, then the user on the plane Type the IP address of B in the browser to get the web service provided by the B-machine, what happened from the perspective of the 7-layer structure?
1: First, when the user on A is typed in the browser, after the browser issues a browsing request, the app is requested, requiring the IP address to be B,
2: The application layer then transmits the request to the next layer of transport layer in the 7-layer structure, and the transfer layer is implemented by the TCP to connect to IP.
3: The transport layer is reported to the next layer of network layer, and the network layer is selected.
4: Due to the two machines A, B in a shared network, IP routing is very simple: IP datagram is sent directly from the source host to the destination host.
5: Due to the two machines A, B in a shared network, the A machine must convert the 32bit IP address to 48bit Ethernet address, please note that this work is done by ARP.
6: The ARP of the link layer sends a Ethernet data frame containing the IP address of the destination by working on each host of the physical layer to the Ethernet, in which the request message is declared: Who is B-machine IP The owner of the address, please tell me your hardware address. 7: Each machine in the same Ethernet will "receive" (please pay attention to this!) To this message, but in the normal state, other hosts outside the B-machine should ignore this message, and the B-network card driver The program identifies that it is looking for its own IP address, so I will send an ARP response to inform my IP address and MAC address.
8: The network card driver of the A machine receives the data frame of the B machine, knows the MAC address of the B machine, so the subsequent data is transmitted as the destination address using this known MAC address. Although the host in a local area network can also "see" to this data frame, it is kept silent, and this data frame that does not belong to it is not received.
The above is a normal situation. If the network card is set to be a mixed mode, then step 8 will change, this host will be unable to listen to all information transmitted in the Ethernet network. Say: Eavesterally is therefore achieved! This will bring great security issues to the LAN security, once a system is invaded and enters the network listening state, whether it is a huge possibility of being eavesdropped in both local or local network.
*********************************************************** ************************************************
Tools to realize network listening: What we see above, everything is that the network card is set to a mixed mode, is this work complex? Unfortunately, this work is not complicated, and there are too many tools to do this. Since the birth of this technology, a large number of work-related software and hardware tools are generated in various platforms, including commercial, free. Use the Sniffer Tools on Google as a keyword, you can find a lot.
The author listed some software liked here, for use in interested readers.
Under the Windows platform:
WINDUMP
WINDUMP is the TCPDUMP's Window Transplantation Edition on the most classic UNIX platform, and tcpdump is almost completely compatible, and it is easy to run in a command line. It will be very easy to use people who use TCPDUMP. The current version is 3.5.2, which can be run on the Windows NT / 2000 / XP platform.
Iris
Eeye's payment software, a trial period, a fully graphical interface, which can be easily customized, analyzed, restore, etc. It is easy to get started with administrators, entry-level and senior administrators can get what they want from this tool. Run on the Windows 95/98 / ME / Windows NT / 2000 / XP platform
Under the UNIX platform:
TCPDUMP
Not much to say, the most classic tool, is adopted by a large number of * NIX systems, no need to say.
ngrep
Similar to tcpdump, but the biggest difference with TCPDump is that by means of this tool, the administrator can easily customize the intercept target in the keyword, password, etc.
Snort
At present, the free IDS system is used in addition to the IDS, in addition to the IDS, it is also useful to Sniffer is also very good, and can be fully reduced by the tool or relying on its own capabilities.
DSNIFF
The starting point of the author design is to use this thing for network penetration test, including a small tool of small tools, main goals, in sensitive information such as customs, users, etc., very special, toolkit ARPSPOOF, MACOF and other tools You can satisfactorily capture host sensitive data in the switch environment. ETTERCAP
And DSNIFF has similar aspects, can also be very convenient to work in a switch environment
Tip: Domestic users have access to this site to use the proxy server.
Sniffit
The widely used network listening software, intercepts focus on the user's output. Specific implementation of online monitoring:
In the system administrator, the main purpose of network listening is to analyze packet analysis, through the network listening software, the administrator can observe the analysis of the real-time data packets, so that network fault positioning is fast.
We can take an example: Server is a mail server, with a lot of client users, mail servers send and receive mail, but the following client users always wait for a long time to wait for a long time after connecting to the mail server. Work, where is the problem?
Use TCPDUMP to capture the packets from one of the CLIENT, how is the result?
Server # tcpdump: listening on hme019: 04: 30.040578 Client.1065> Server.smtp: s 1087965815: 1087965815 (0) Win 64240
Client connection server 25 port, three handshakes are normal, no problem, let's see
19: 04: 30.048862 Server.33152> Client.113: s 99370916: 99370916 (0) WIN 8760
The problem is found, the following work is good, by modifying the server-side software configuration, make it no longer conducting the authentication of the 113-port, see this problem solved? You don't have to ask the client user, and the bag is as follows:
Server # tcpdump: listtening on hme019: 06: 45.775516 Client.1066> Server.smtp: s 1119047365: 1119047365 (0) Win 64240
From this trial, we can see that network monitoring means, the system administrator of the network is very valuable.
However, what about the invaders? Interested in administrators, analyzing packets, intruders, interested in data packages, especially accounts, passwords, and other sensitive content.
We imitate the invaders running a Sniffit software mentioned above, listening to all Telnet data issued by this machine, as follows: Server #. / Sniffit -a. -P 23 -s Server
At the same time, we imitate a user yiming to log in a Client machine.
server @ yiming # telnet clientTrying 192.168.1.1 ... Connected to 192.168.1.1Escape character is '^]' login:. yimingPassword: Sun Microsystems Inc. SunOS 5.7 Generic October 1998 $ lsbak lost found project wangguanlibcap nms snmp wglist $ pwd / yiming $
We see this user telnet to the Client machine, enter the account password, execute the LS, PWD command,
At this point, look at what Sniffit's record file records.
Server # more server.32780-client.23 ............! .. "..'....... H.7 .... # .. $ .. ..Vt100 ....'......... yiming..power ^ man! .. ls ..pwd .. we see the account yiming, password Power ^ Man !, still have logged in Command. Please note that YIMING This user has set a very complex password, but there is no meaningfulness of the network monitoring.
In addition, in addition to intercepting the Telnet password, the dedicated network listener software from the password to the message, browsing the web, etc., all package, but because this article is not introducing the network listening software use, it will not be described in detail. The software use method, interested readers can refer to files such as README of each software, very simple.
*********************************************************** ************************************************
Online monitoring method:
Above we introduced the software that can be used to monitor online, then have this unpopular behavior? Is there any prevention means?
Above we know, Sniffer is in the Ethernet network, then, it is obvious that first, it is necessary to ensure the overall security of the Ethernet, because the Sniffer behavior wants to happen, one of the most important prerequisites is an Ethernet's inside. The host of the vulnerability is broken, and only Sniffer can be made by using the host that is broken, and the SNIFFER can be collected in the Ethernet.
Second, it is also a good way to adopt encryption means, because if the data arrested by Sniffer is transmitted in secret text, the significance is not very significant for intruders even if the intruder is grasped, the meaning is not big - such as Telnet Safety replacement products such as FTP currently use SSH2 or safe. This is one of more means of use, often refers to the actual application refers to the service that is unsafe, using clear text transmission data, such as telnet that comes with SSH, OpenSsh, etc. with SSH, OpenSsh, etc. FTP, RSH, using SecureCRT, SSHTRANSFER instead Telnet, FTP, etc. in the Client side.
In addition to encryption, the use of the switch is currently a more application, unlike the HUB working in the first layer, the switch is working in the second layer, that is, the data link layer, as an example of Cisco's switch, the switch is Maintain an ARP database, record the MAC address bound to each port of the switch in this library. When there is a datagret to send to the switch, the exchange opportunity to maintain the Data's destination MAC address with its own database The inner port is controlled, and then the datagram is sent to the "corresponding" port. Note that the packet forwarded by the switch is different from the message broadcast of the HUB. For two-layer equipment, only two cases will send broadcas, one is that the Data report is not in the database maintained by the switch. At this time, the newspaper is forwarded to all ports, and the second is that the packet itself is broadcast message. . From this, we can see that this has largely solved the trouble of online monitoring. However, it is important to note that with the emergence of software such as DSNIFF, ETTERCAP, the security of the switch has faced a severe test! We will introduce this technology later.
In addition, companies with high security requirements can consider Kerberos, Kerberos provides a certification mechanism for open systems for network communications, providing a strong correction mechanism that makes the Client side and Server even The identity of each other is also confirmed in a non-secure network connection environment, and after the parties pass identity authentication, subsequent communication is also encrypted. In the implementation, the key database for establishing a trusted third-party server to retain the communication with ZF, only Kerberos and the system itself have a private key, then passed through Private Key and the Session created when certified. Key to implement trusted network communication connections. Detect network listening means
Listening to other hosts that occur in the LAN has been lacking a good detection method. This is because the host that generates the network listening behavior is always not allowed to collect packets at work, almost no information will be issued. But there are some ideas and products that have solved this problem online:
1: Reaction time
Send a large amount of spam to suspect a network listening behavior, determined according to the situation responded by each host, the normal system response time should not change, and the system in which a mixed mode is due to a large amount of spam Received, it is very likely that the response time will change.
2: Observation DNS
Many online monitoring software will try to perform address reverse resolution, and can observe the significant increase in resolution requests on DNS systems when suspecting network monitors occur.
3: Monitor using ping mode
Above we said: When a host enters a mixed mode, the Ethernet network card will complete all the data sheets that do not belong to his. According to this idea, we can do this: Suppose we suspect the host's hardware address is 00: 30: 6E: 00: 9B: B9, its IP address is 192.168.1.1, then we now fake such a kind ICMP packet: The hardware address is not the same 00: 30: 6e: 00: 9b: 9b, the destination address is 192.168.1.1, and we can imagine that this packet is transmitted in the local network. What happens: Any normal host checks this packet, compare the hardware address of the packet, and the differences of your own, so I will not pay this packet, and the host of the network listening mode? Since its NIC is now in mixed mode, it will not compare the hardware address of this packet, but directly pass this packet directly to the upper layer, the upper layer checks the IP address of the packet, in line with its own IP, so will A response to this ping package. In this way, the host in the network listening mode is found.
This approach, has a good manifestation in the AntiSniff products of 10PHT. See: http://www.securitysoftwaretech.com/antisniff/download.html
4: Monitor using the ARP packet
In addition to monitoring using ping, the current comparative use of ARP mode is monitored. This mode is a variant of the above PING mode, which uses the ARP packet to replace the above ICMP packet. Send a non-broadcast approach to the host in the LAN. If a host in the LAN responds to this ARP request, then we can judge that it is likely to be in the online monitoring mode, which is relatively good. Monitor mode.
This way, it is reflected in the two products of NEPED and Promiscan. Refer to:
http://www.apostols.org/,
Http://www.securityfriday.com/tooldownload/promiscan/promiscan_doc.html
It is worth noting that there are some scripts and procedures based on these two technologies on the Internet. They claim that they can accurately capture all the hosts in the LAN. At present, this statement is basically unreliable. Because of the above techniques In the implementation, in addition to the hardware filtering of the NIC, it is also necessary to consider software filtration that may be generated by different operating systems. Because the system should receive all the packets, the system should receive all the packets, but different versions of different operating systems, different versions of the same operating system have some of their own characteristics, may not Receive these theoretical packets that should be received. In addition to the above methods, there are other ways, such as: detecting the HUB lamp, but is greater compared to the limitations, only the supplement of the above mode.
Relatively speaking, the online monitoring of this machine is, it is possible to use some tool software to discover, relatively simple, here we do not introduce, interested readers can refer to Cert and other websites.
*********************************************************** ************************************************
Safety switch?
Did the article end here? No, we also missed a very important monitoring means - the online listeners below the exchange environment, this is a topic that is necessary to talk, and the author has participated in many project decisions as a network administrator. Surprised discovery of many companies Stop in the switch is a concept of thorough resolution of LAN security.
It should be recognized that this concept is a legend, yes, in the past, it is indeed this, but with the birth of DSniff and other software described above, the safety of the so-called switch has become a legend.
The above part of this paper introduces the principle of switch work, unlike HUB shared packet, the message forwarded packets correspond to one, which seems to use the traditional shared local area network in the exchange environment. It is not feasible, because the message is a corresponding forwarded, ordinary network listening software cannot monitor any valuable data of other hosts in the exchange environment at this time.
Is the switch safe?
No, there are some other methods, such as using ARP, this article refers to the transfer of the transmission completion of the host packet in the local area network, but relying on the MAC address corresponding to the IP address in ARP. And we know that the ARP protocol is unreliable and unconnected, and it is usually accepted by the host even if the host does not make an ARP request, and will be sent to its ARP and IP correspondence into its own ARP cache.
Then use this feature, do some articles in this link, or you can intercept the packet.
ARP theory practice
The author recommended a good above the above theoretical product, DSNIFF, including Filesnarf, Mailsnarf, Msgsnarf, Urlsnarf, DNSSPOOF, MACOF, etc. in this package, which can capture various sensitive data in the network, but these are not Today, I'm just in one of the components, arpspoof, this component is a practice in the above ARP theory. Its work is this: initiating arpspoof hosts to send a forged ARP response package to the target host, defraud target system Update the ARP table, modify the MAC address of the gateway of the target system to initiate the host MAC address of Arpspoof, so that the packets are initiated by the host, so that even if the system is connected to the switch, it will not affect the capture of the packet, by This is easy to achieve network listening through the switch. For example, as follows:
Host A and B are connected to the same VLAN of the switch, the IP address of the A machine: 192.168.1.37
B machine IP address: 192.168.1.35, MAC address is: 08-00-20-C8-Fe-15
IP address of the gateway: 192.168.1.33, MAC address is: 00-90-6D-F2-24-00
First look at the ARP table on the plane
C: /> arp -ainterface: 192.168.1.37Internet Address Physical Address Type192.168.1.33 00-90-6D-F2-24-00 Dynamic
We see the IP address of the gateway in A. 192.168.1.33 and the corresponding MAC address 00-90-6D-F2-24-00
We execute arpspoof on the B machine to point the target to the A machine, claiming to be the gateway, as follows:
Hostb # arpspoof -t 192.168.1.37 192.168.1.338:37 192.168.1.338:0:20:2:1:::15 0: 50: ba: 1a: f: C0 0806 42: ARP reply 192.168.1.33 IS-AT 8: 0: 20: C8 : Fe: 158: 0: 20: C8: Fe: 15 0: 50: Ba: 1a: f: C0 0806 42: ARP Reply 192.168.1.33 IS-AT 8: 0: 20: C8: Fe: 158: 0: 20: C8: Fe: 15 0: 50: BA: 1A: F: C0 0806 42: ARP Reply 192.168.1.33 IS-AT 8: 0: 20: C8: Fe: 158: 0: 20: C8: Fe: 15 0: 50: BA: 1A: F: C0 0806 42: ARP Reply 192.168.1.33 IS-AT 8: 0: 20: C8: Fe: 158: 0: 20: C8: Fe: 15 0: 50: BA: 1A : f: C0 0806 42: ARP Reply 192.168.1.33 IS-AT 8: 0: 20: C8: Fe: 158: 0: 20: C8: Fe: 15 0: 50: BA: 1A: F: C0 0806 42: ARP Reply 192.168.1.33 IS-AT 8: 0: 20: C8: Fe: 158: 0: 20: C8: Fe: 15 0: 50: BA: 1A: F: C0 0806 42: ARP Reply 192.168.1.33 IS- AT 8: 0: 20: 20: Fe: 158: 0: 20: C8: Fe: 15 0: 50: Ba: 1A: F: C0 0806 42: ARP Reply 192.168.1.33 IS-AT 8: 0: 20: C8: Fe: 158: 0: 20: C8: Fe: 15 0: 50: Ba: 1a: f: C0 0806 42: ARP Reply 192.168.1.33 IS-AT 8: 0: 20: C8: Fe: 15
It can be seen that the B operates to send ARP response packages to a, claims that the MAC address of the gateway 192.168.1.33 is yourself! At this point, we look at the contents of the ARP table on the machine.
C: /> arp -ainterface: 192.168.1.37Internet Address Physical Address Type192.168.1.33 08-00-20-C8-Fe-15 Dynamic
what! The ARP table of the A machine has changed, the MAC address of the gateway is updated to the MAC address of the B machine, so when there is a packet transmission, the A mechanism will leave the MAC address corresponding to the gateway in the ARP table. 08-00 -20-c8-fe-15, however, the B machine in this place is waiting, quietly swearing online related to the Packet of the A-machine.
One thing to explain is that in order to let the A function use the network normally, the B-machine must also open data forwarding.
You can use the sysctl -w net.ipv4.ip_forward = 1BSD system in Linux, you can use sysctl -w net.inet.ip.forwarding = 1
Solaris system can use NDD -SET / DEV / IP IP_FORWARDING 1
In addition to the support of this to open the kernel, you can also use external Fragrouter and other forwarders, so it will ensure that the A machine works normally.
In addition, the author of ETTERCAP pointed out that the Linux system of 2.4.x is in the ARP implementation. Considering the ARP spoof, it is not accepted to respond without requested, so it is also invalid to send ARP reply directly to this system, but Interestingly, although it doesn't accept the unsolicited ARP Reply, just receive the ARP's request, it will update your ARP cache,;), so, send a forged arp request! However, the author did not find this problem in his own experiment, and the author's system accepted a direct ARP Reply and updated his ARP table.
If everything is configured, the redirected A machine does not have any obvious feeling, the network is common, but the background data is around a small circle, not directly to the gateway, but the first via the B machine The B is forwarded to the gateway, because the packet has passed the B machine, then a network listening software on the B-machine, all data of the A machine will inevitably be listened. Monitoring in the exchange environment is implemented!
In addition, DSNIFF also provides Macof and other flooded Switch ARP tables, etc., which will not be introduced, and interested readers can check the relevant information.
ARP method monitoring
It is also a more difficult problem with the monitoring of the use of ARP mode. There are several not very ideal countermeasures.
The first is also the encrypted encryption, as much as possible to make the data in the LAN, which may be relatively optimal, but there may be a little difficult to implement it. One point to note that SSH1 is unsafe, and we mentioned DSNIFF and ETTERCAP can monitor SSH1 to implement intermediary listeners.
In addition, you can also consider designating static ARP, such as most UNIX systems support ARP to read the specified IP and MAC address corresponding file, first edit the contents of the content IP and MAC address, then use the command: arp -f / path / to / ipandmacmapfile read file, which specifies the static ARP address, even if the ARP Reply does not update your ARP cache, so that the ArpspoOF is lost. The Windows system does not have the parameter of -f, but has the -s parameter, specifies the IP and MAC address control relationship with the command line, such as ARP -S 192.168.1.33 00-90-6d-F2-24-00, but unfortunately, in addition to XP, other The version of the Window platform even though this, after receiving the forged ARP Reply, you will update your ARP cache, replace the old MAC address with the new MAC address, so you can't fight Arpspoof. And there is a shortcoming with static ARP, that is, if the network is large, the workload will be very large.
ARP method monitoring detection
The first is to detect the tools corresponding to the IP address and the MAC address, such as ARPWATCH, the system installed ARPWATCH will see the following prompt when the MAC address changes.
Apr 21 23:05:00 192.168.1.35 ARPWATCH: Flip Flop 192.168.1.33 0: 90: 6d: F2: 24: 0 (8: 0: 20: C8: Fe: 15) APR 21 23:05:02 192.168. 1.35 ARPWATCH: Flip Flop 192.168.1.33 8: 0: 20: C8: Fe: 15 (0: 90: 6d: F2: 24: 0) Apr 21 23:05:03 192.168.1.35 arpwatch: Flip Flop 192.168.1.33 0 : 90: 6d: F2: 24: 0 (8: 0: 20: C8: Fe: 15) It can be seen from the prompt that ARPWATCH detects a change in the gateway MAC address.
Secondly by means of some intrusion detection systems, such as Snort, there can be a certain detection effect. Open Arpspoof's PreProcessor switch in the Snort configuration file and configure it.
Author I have discovered that if you use local parsing, the anti-solution of the DNS server of the LAN local network is a good way. Analyze the packet when suspected of arpspoof, it is easy to find, as follows:
Nameserver # tcpdump -n -s 0 port 53tcpdump: listening on HME023: 19: 22.35.41797> 192.168.1.68.53: 32611 PTR? 33.224.102.202.in-addr.arpa. (45) (DF) 23: 19: 22.490467 192.168.1.35.41798> 192.168.1.68.53: 32611 ptr? 33.224.102.202.in-addr.arpa. (45) (DF)
Conclusion:
Above we introduce several major aspects of network monitoring technology, including the main technical details of network monitors, specific implementation, detection methods, and the like. In addition, a non-traditional monitoring method is also introduced. Through this article, it is hoped that the reader can generate some understanding of the network monitor.
