Difference between active and passive sniffing

Sniffing is a technique for gathering network information through capturing network packets. There are two types of sniffing – active sniffing and passive sniffing. In active sniffing, the packet sniffing software sends requests over the network and then in response calculates the packets passing through the network. Passive sniffing does not rely on sending requests. This technique scans the network traffic without being detected on the network. It can be useful in places where networks are running critical systems like process control, radar systems, medical equipment or telecommunication, etc. Please note that a packet sniffer can work only on a common collision domain. That means you can only use a packet sniffer on a network that you’re a part of. This implies that a packet sniffer can’t be used for any hacking attempt from outside the network.

Preparing to run NetworkMiner

NetworkMiner is a host centric network analysis tool with passive sniffing capabilities. Host centric means that it sorts data with respect to the hosts rather than the packets (this is done by most active sniffing tools). The NetworkMiner user interface is divided into tabs. Each tab provides a different angle of information of the captured data. The following are the steps to running NetworkMiner for it to analyze network traffic:

  1. If you are running Windows 7 or Windows 8, you will need to run NetworkMiner.exe with administrative privileges.

  2. Select the network interface for which the data has to be captured.

  3. By default, the Hosts tab is selected. You can sort hosts by IP address, MAC address, hostname, Operating System etc.

Press the start button to begin the sniffing process.

Analyzing data in NetworkMiner

On the Hosts tab, you will see a list of hosts connected to the network. You can expand any host to see detailed information like its MAC address, hostname, Operating System, TTL, Open ports, packets sent, received etc. A good network admin always has an overview of what data is being transmitted to and from his network. The list of hosts will give you a better idea of what type of network traffic you are using.

If you find a suspicious host, you can always block it through your firewall. The firewall should be the one from where all network traffic passes before reaching the destinations. If you block the host on your system firewall, it will only be blocked on your system. If you are using any other network sniffer that can save the PCAP file, NetworkMiner can also analyze the PCAP file and let you go through the data offline. One clever feature of NetworkMiner is that it can reassemble the files transmitted through the network and then download them in complete form. This can be done from the Files tab. You can also capture and download images from the network traffic from the Images tab. Sending passwords in clear can be highly dangerous for the network as a whole. If you want to check if any host is transmitting passwords in clear text, you can see it in the Credentials tab.

Conclusion

NetworkMiner can be highly useful for Wifi networks that are constantly open to new threats. It can audit and analyze network traffic regularly in order to block vulnerabilities and weak areas. If you are running a network, which packet sniffing tool do you use to check your security? Does it analyze and audit? I had been using Wireshark but have fallen in love with NetworkMiner because of its simplicity and ease of use. Image credit: Crawdad Network-Reuters coverage