For the currently popular Ethernet protocol, its working mode is: the data package to be sent toward all the hosts connected together, and the package contains the correct address of the packet host should receive the target address in the packet. That host can receive it. However, when the host work listening mode, regardless of the target address in the packet, the host will receive (of course, only those packages that pass through the network interface).
There are many local area networks using Ethernet protocols on the Internet, and many hosts are connected together by cables. When two hosts in the same network communicate, the source host will direct the packet of the host address of the host address to the destination host. However, this packet cannot be sent directly in the IP layer. It must be handed over to the network interface from the IP layer of the TCP / IP protocol, which is the data link layer, and the network interface does not identify the IP address, so the network interface data package A portion of the information of the Ethernet header is added. There are two domains in the frame head, which is the physical address of the source host and destination host that can be identified by the network interface. This is a 48-bit address corresponding to the IP address.
When transmitting data, the frame containing the physical address is sent from the network interface (NIC) to the physical line. If the local area network is connected by a rough or thin cable, the digital signal is transmitted on the cable, and can reach each line. A host. When using the hub, each line connected to the hub is then reached by the hub, and the digital signal can also reach each host connected to the hub. When the digital signal reaches a host's network interface, the network interface reads into the data frame, check, if the physical address carried in the data frame is its own or broadcast address, the data frame is handed over to the upper layer protocol. Software, that is, IP layer software, otherwise this frame is discarded. This process is performed for each data frame that reaches the network interface.
However, when the host works in listening mode, all data frames will be handed over to the upper protocol software processing. Moreover, when the host is connected to the same cable or hub is logically divided into several subnets, if a host is in listening mode, it can also receive the swirpion and you are not in the same subnet (using different Mask, IP Address and Gateway) Packets. That is, all information transmitted on the same physical channel can be received. In addition, most of the protocols used in the network are very early, and many of the protocols are based on a very friendly, all parties that communicate, many of the information is sent in clear text. Therefore, if the user's account name and passwords are also transmitted online in a clear manner, and at this time, a hacker or network attacker is ongoing network monitoring, as long as there is a preliminary network and TCP / IP protocol knowledge, it can easily The part of the interested interest is extracted in the information. Similarly, the correct use of online listening technology can also find invasion and tracking the invaders, and obtain important information about criminal behavior when investigating the network crime, becoming a strong means of combating online crime.
