In this mode the device submits all incoming traffic to the network interface and transmits the data for processing to the operating system. Devices that use this mode can be combinations of switches and routers, network tester or even a normal computer with a connection to a network.

For Wireless LANs in promiscuous mode it will only forward the packets of the network (access points) to which the client is currently connected. The Promiscuous Mode is unsuitable to receive packages from a network which you do not own because you need to authenticate yourself with the network.

The opposite of this mode is the non-promiscuous mode. In this mode the unit handles only the packets addressed to it and this happens for example in Ethernet networks, the evaluation of the MAC address plus broadcast packets.

Another method of usage is to detect network connectivity issues. Some programs use this feature to show everything that is transferred by the network and some of them can transfer passwords and data in clear text. So a normal user should stay away of this mode to prevent that someone else could steal this data while the transferring process.

As you can see the Promiscuous Mode should only be used by advanced users to avoid any damage to your system or to open the door for hackers. But when you know what you are doing this mode is quite powerful and you can repair your network without any problem.

Of course not every wireless card drivers support this mode because of it’s not a secure mode. If you need this mode you should watch out for another driver that supports the Promiscuous Mode. You can contact your device’s manufacturer and ask for a new driver.

FTP is very useful to share resources. Install a client, configure the FTP server IP address, enter the username and password, then we can download from the server and upload as well. It’s simple right? But have you ever been aware that your FTP password could be sniffed by a hacker?

Let’s check it out. I opened a network sniffer tool, Wireshark, and established a normal connection to a server. Then let’s see what we got.

Sniff FTP Usename Password with Wireshark

See the USER and PASS? They are my username and password. If there was a hacker sniffing my username and password right now like me, he could use them to login that server to upload and download.

Then, what should we do? We can use SSL to encrypt our username and password. I enabled Auth SSL and sniffed the connection again. Let’s check out how it worked.

FTP SSL Connection

We don’t see any packets with username or password because all of them are encrypted. It worked and nothing was exposed to the wild. Remember, we’d better also use encryption to help protect our password if possible. Sometimes maybe the password is not important, but the materials behind it are important.

Whose Packets Do You Want to Sniff?

We all know the nouns, hubs, switches, routers, firewall, etc., but there is possible that some of us may not know how the packet analyzers process the packets. So we should always think first which hosts’ packets we want to sniff, and on which device we should connect the machine with the packet analyzer software to capture traffic. This’s the first discipline. You can’t analyze and troubleshoot into network packets unless you capture them.

It’s quite often that someone new comes to a network analyzer software, he finds a packet sniffer software on the web, and can’t wait to install it on his PC. And then he fires it up expecting to capture all packets traversing through his network. Well, he’ll be disappointed that he can only see packets of his own machine in today’s network. But back to the 1990’s, when hubs were popular then, he could capture all traffic of a hub network without a problem. So today, besides hubs, we have more devices, switches, routers, firewalls, etc. Let’s see how we can capture packets if we are connected with these networking devices.

Capture Particular PC’s Packets

This is the simplest scenario that you are a network administrator suspecting the guy at marketing dept. is infected with a worm or virus because his machine keeps sending large volume of packets to consume the network bandwidth. So it’s a brilliant idea that you install a packet analyzer tool on his machine and look into his traffic pattern to prove it. Or you may just curious what applications are consuming your network bandwidth. And the answer to capture packets of a particular machine, you only need to install the protocol sniffer software on your system.  No matter it’s a Windows, Mac or Linux, you may find packet analyzer software for that platform. What is really required is a network interface card (NIC) which is able to run in promiscuous mode.

Capture Particular PC’s Packets

Economic Choice – Use Dumb Hub

Hubs are rarely these days, but if you’re fortunate enough to own one of those old jewels then make sure to hold on to it. If you have a 100M network, a cheap hub would be the perfect choice to be used to intercept the network packets. You might take advantage of ebay to find a second-hand hub if you are lucky enough. Be careful, some vendors tell you it’s a hub, but in fact it’s a switch.

How a hub looks like

So when you connect your machine (with packet sniffer software installed) to any port on the hub, you can sniff packets of all machines because the hub repeats all Ethernet frames arriving at on port to all other ports of the hub. The figure below shows how to capture packets on a hub. For example, in your home network, all your machines are connected with cables to a home router, and the router connects to the Internet. In this network, we can place a hub behind the router, and move all cables to the hub. So now, you can use any port to sniff all packets with a packet sniffer software.

Use dumb hub to capture packets

Cons of Capturing Packets on Hub

But there is a downside of using a hub. Because the hub repeats all packets to all ports, it increases packet collisions. And packet collision slows down your network connection rate. If you use a packet sniffer software to capture the packets, you will see more TCP retransmissions. So make sure you take out the hub and put the network back to its original topology when you finish packet sniffing.

Configure Port Mirroring (SPAN) on Managed Switch

There are two categories of switches, managed switch and unmanaged switch. It’ll be great if you have a managed switch over a hub. So as we mentioned at the beginning of the post, you can only sniff traffic of your own PC and some broadcast and multicast traffic, if you sniff on a PC which is connected to a switch (no matter managed or unmanaged ones).

Only capture limited packets

How can we sniff all packets on a switch? Don’t worry, the managed switches have a function called Port Mirroring. While this function has different names depending on the vendor, Cisco calls it SPAN. You can go to the switch management portal, and configure the switch to copy all sent (Tx) and received (Rx) frames, (or one part of it), of particular ports to a monitor port. You can connect your protocol analyzer software to the monitor port and sniff the traffic. The figure below shows how to use a protocol analyzer to sniff all traffic on a managed switch with port mirroring.

Use a protocol analyzer to sniff all traffic on a managed switch

Notes on Sniffing Traffic on Managed Switch Port Mirroring

1. On some switches you can also configure to copy traffic of all ports to a monitor pot, but this causes duplicate packets since each packet will be seen twice, the first time on the receive port and then another port it leaves on another port. It’s therefore usually wise to monitor only the uplink port if you wish to monitor all hosts connected to the switch.
2. You should also be careful using port mirroring over a high load switch. We shouldn’t forget that the primary functionality of a switch is to switching and forwarding traffic from the source port to the destination port rather than copying or mirroring the packets. This means if the switch’s load is high, it will prioritize switching the frames from source port to destination port over copying them to the monitor port. So on a high load switch, you may not get all traffic on the monitor port, and it’s unacceptable if you are on a network forensics investigation. So if this is your case, you may consider a network tap to precede your task.

Capture Unmanaged Switch Traffic

If your switch isn’t a managed switch but an unmanaged switch, you have two choices.

• Use a hub, and connect the network as figure below.
• Use a network tap.

Capture packets on an unmanaged switch

Use Network Tap to Capture Packets

What is a network tap? A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a “network tap” may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic through unimpeded, but also copies that same data to its monitor port, enabling a third party to listen.

How a network tap look like

Using a network tap is the most reliable way to sniff traffic, which is easy to use and doesn’t affect your network performance (comparing with the hub and the switch’s port mirroring). The function of a network tap is to make a copy of each frame on a wire. Typically you insert a network tap between two nodes of your network, such as between the switch and the router, and you get all traffic between these two devices and it doesn’t affect the quality of the line. The figure below shows how to use a network tap to sniff traffic of the uplink of an unmanaged switch.

Use network tap to capture packets

Cons of Capturing Packets with Network Tap

But, network taps are expensive, and a good network tap will cost you more than 1,000 dollars, but it’s a reasonable choice between network monitoring reliability and budget. If you are considering investing in a network tap I recommend an aggregation tap, which is able to merge uplink and downlink traffic to a single monitor port. So you don’t need to have two NICs on your sniffing computer.

Techniques for Monitoring WAN Links

The cost of WAN Links versus Business Impact

Monitoring WAN links for availability and reliability is essential: business organizations absolutely require continuous uptime, fast response times, and minimal transmission errors. But the cost of WAN links is also a factor. A T1 line, which is the most common type of WAN link, provides 1.5 megabits-per-second (Mbps) of bandwidth at an average cost of $600 a month. A T3 line, which offers 45 Mbps of bandwidth, can cost $15,000 a month. Monitoring WAN link utilization can help ensure the business organization is receiving optimal network performance without over investing in network infrastructure.

Due to the cost of leasing a WAN link, it’s often difficult to justify an additional T1 or T3 line unless an existing link is consistently running at 80% utilization or higher. In theory, the link can run at 100% utilization, which may sound a bit like “getting the most bang for the buck,” but utilization rates fluctuate constantly depending on changes in network traffic. For example, utilization may be high in the morning when people come to work and read their email or later in the afternoon when customers scramble to submit their orders before going home for the day. And sometimes the network simply gets hit with a lot of traffic.

The point is, when monitoring link utilization, it’s important to allow for “spikes” in network traffic. Otherwise, if a link is running at 95% utilization, and network traffic spikes, the interface on the WAN router may become overwhelmed and start to drop packets or experience other sub-optimal behavior. Business application users and customers, in turn, will notice significantly reduced response times and throughput. So it’s crucial to monitor WAN links not only for availability and reliability, but for utilization as well to determine a nominal utilization rate that can withstand spikes without impacting the business organization. Also, should high utilization rates begin to impact business efficiency, collecting historical data on utilization rates can underscore a business justification for an adding a new WAN link.

Key Metrics for Monitoring WAN Links

When monitoring WAN links, the three key metrics to consider are availability, utilization, and latency.

Availability is the “up” or “down” status of a router interface over time (also referred to as “uptime”). High availability (99-100%) indicates the WAN link is fully available to business users. Low availability (less than 95%) may indicate a persistent problem with the router or WAN link.

Utilization is the percent of data throughput relative to the maximum capacity of the router interface. Ideally, interface utilization should not exceed 70% or 80%. If utilization is consistently running above 90%, business users may experience reduced performance. Low utilization, on the other hand, indicates the interface is operating well below capacity.

Latency is the time it takes in milliseconds for a data packet to travel across the WAN link. High latency means data travels more slowly across the network, which can affect business users. Typically, high latency is caused by network congestion over the WAN link.

Tools for Monitoring WAN Links

There are a number of simple, easy-to-use tools for monitoring WAN links. As most network managers know, the ping command on a Windows or UNIX computer measures the “round trip” latency across a WAN link by “pinging” a device or computer at the far end of the link. For example, pinging a computer on the East coast from a computer on the West coast shows the round trip latency for the link, point-to-point, averages 117 milliseconds. For more detail, the trace route command lists the physical routers that form the WAN link and the number of milliseconds required for each “hop” between routers.

Because most network devices are SNMP-enabled, an SNMP monitoring tool can be used to measure the availability and utilization of the router interfaces that host the WAN link. For instance, SNMP OID Tracker, a free desktop SNMP tool, can graphically monitor any SNMP MIB-2 object. Monitoring the ifOperStatus (operational status) object shows the availability or up/down status of the interface, and the ifInOctets (octets in) and ifOutOctets (octets out) objects can be used in conjunction with the ifSpeed (interface speed) object to calculate interface utilization.

Capsa Free is a must-have freeware network analyzer for Ethernet monitoring, troubleshooting and analysis. It provides users with great experience to learn how to monitor network activities, pinpoint network problems,enhance network security and so on. Moreover, Capsa Free is a perfect choice for students, teachers and computer geeks to learn protoclos and networking technology knowledge.

Why Choose Capsa Free

• Your own dashboard, important parameters in one place and in graphs
• Record network profile, set your analysis objective and perform customized analysis.
• Powerful customizable alarm, customize dozens of alarm trigger combinations.
• Identify and analyze more than 300 network protocols, create and customize protocols, analyze unique protocol traffic.
• Intuitive TCP timing sequence chart.
• Accurate MSN & Yahoo Messenger monitoring statistics.
• Email monitor and auto-saving Email content.
• Enhanced, Customizable Reports.

Download

If you go deeper to network monitoring, you will find it has more powerful uses. Networking professionals use network monitoring technologies to go deep into the networking world. For example, network monitoring can be used to capture all zero and one bits traveling through the wire or wireless and network professionals can use them to troubleshoot network problems, find network attacks, and monitor user activities, etc.

Use of Network Monitoring in Business

Network monitoring has its irreplaceable function in business network management. For a corporate network, network monitoring is critical for IT management department. Network monitoring can be used to:

• Arm network admin for effective network maintenance, to reduce network downtime
• Monitor and improve employee productivity
• Find network breaches to enhance network security
• … …

To troubleshoot and resolve network problem is one of the most important uses of network monitoring in corporate network, a network monitoring tool monitors the internal network and the network admin can use it to resolve slow network connection, lost-in-space e-mail, questionable user activity and file delivery caused by overloaded, crashed servers, dicey network connections or other devices.

Network monitoring can be achieved using various types of network monitor software or a combination of out-of-box hardware and software solutions. Virtually any kind of network can be monitored no matter it’s wired with cable or wireless, a LAN, VPN or SIP’s WAN. You can monitor devices on different operating systems, Windows, Linux and Mac, etc. Besides, you can also monitor wireless traffic from cell phones, ranging from Android, iOS and BlackBerrys. These systems can help you identify specific activities and performance metrics, producing results that enable a business to address various and sundry needs, including meeting compliance requirements, stomping out internal security threats and providing more operational visibility.

Colasoft MAC Scanner (Free)

Colasoft MAC Scanner Free Screenshot

By its name – MAC Scanner, in fact it’s not just a MAC scanner. You can use it to scanner all alive MAC/IP addresses in a subnet. And it’s not just MAC and IP addresses, you can see the name of each machine as well. It uses ARP protocol, so this MAC Scanner can only scans MAC and IP addresses in a subnet. So we start a scan, and we get all the MAC addresses and IP addresses in our network, we can print out the list. So we can quickly look up the machine. And most of all, it’s free. There is also a more powerful commercial edition out there as well. It has a database, so you can edit and manage your addresses pool in the database.

Guess what. We find a way that you can get the commercial edition for FREE. How we do this? Keep it secret. You just need to download and install another product from Colasoft - Colasoft Capsa – it’s a network analysis software (what are the best network analysis freeware?). Also it’s free. And you’ll find it has the commercial version of Colasoft MAC Scanner built-in. So now, you get the full version. Download MAC Scanner Free @ http://www.colasoft.com/mac_scanner/index.php?act=download_success&v=free.

Fluke IP Inspector

Fluke IP Inspector

IP Inspector is also a freeware, but it takes many steps to register, check email, download, and activation. Even it’s freeware, but also requires activation, if you don’t, you can only use it for 7 days. Let’s see what IP Inspector can do.

1. Scan IP of multi-segments, so we can scan all IP addresses of the entire network on a single machine.
2. Scan IPv4 & IPv6 (but I don’t know how to input IPv6 addresses).
3. Scan variety types of ports, i.e. HTTP (80), echo (7), FTP (21), and also use port combination.

We can start a scan, and let’s see what we get. IP Inspector shows the IP addresses that you need to scan, IPv6 addresses if any, host name, MAC address of the IP, and when the address is first found and last found. Another feature is that you can click menu icon > Export, the records will be copy and paste to Excel book. Then you can edit, print or save in Excel. A good feature for documentation. Download IP Inspector @ http://www.flukenetworks.com/content/ip-inspector-utility-download.

(More to continue…)

The instructions below were on my MacBook. So YMMV.

Create an adhoc wireless network

Use the Wireless icon on the top status bar and create a computer-to-computer Wireless network. This effectively makes your MacBook an access point (kinda).

You’ll get the following dialog. Click okay. badboy is my machine name. Don’t ask why.

Start Wireshark on en1

Since we are interested in the application traffic, we use the the capture filter to prune out IGMP, MDNS and other such networky (scientific term) packets. If you are a packet geek, then leave the capture filter empty.

Start the layer2 bridge

Before you go huh, say what, l2bridge is the tool that we are releasing to the community. We expect that you have en0 (the wired network) hooked up to your LAN (home or office) with DHCP enabled.

$ git clone.com/pcapr/l2bridge.git$ cd ./l2bridge $ make $ sudo ./l2bridge en1 en0

l2bridge is a really simple user-mode layer2 forwarder. It uses libpcap to read and write packets from the named interfaces. Packet comes in on en0, it goes out on en1 and vice versa. It kinda makes a virtual wire out of two physical interfaces interfaces.

WARNING: If you bridge en1 and en0 without the adhoc network, you are going to cause serious broadcast storms on the network with ARP floods and all sorts of other nastiness!

Okay, so we have everything ready except the iPhone.

Point iPhone to our badboy network

Go to Settings/General/WiFi and turn it on. You should see the adhoc network you created in step 1. Go ahead and join the network.

Okay, I just used the Photo Booth to take the picture ‘cos I was too lazy. Anyways we are done!

Topology

So here’s how the whole thing looks:

If your LAN has DHCP (recommended), your mobile device should get a lease and come up as any other host on the network. Once that happens, all its packets belongs to you!

What to do with these packets?

Well, a number of things:

• Index 30 minutes worth of your iPhone traffic with xtractr and geek out with charting, reporting and analyzing everything your phone is doing
• Be nice and pull out application traffic to contribute to the pcapr community
• If you are a Mu customer, turn these packets into Studio scenarios so you can Fuzz and Scale test these apps

1) Download and Install Paros

Grab the download from the Paros site. Your install process will differ depending on your O/S, but they’ve provided some install instructions here. Everybody will need the Java Runtime Environment 1.4 or above.

2) Configure Paros

Once installed, launch Paros and find the configuration options (on OS X they are under Tools -> Options). Paros is configured by default to listen on localhost only, but we are going to route our iPhone’s traffic through Paros, so we need to set it to listen on the IP address of the interface connected to the same LAN as the iPhone.

My LAN’s network is 1.1.1.0/16, so I’ll configure the Local Proxy address accordingly:

Configure Local Proxy on Mac

That should be the only setting that we need to fuss with. Paros is all set and listening on port 8080, let’s configure the iPhone to route its traffic through our proxy!

3) Configure iPhone

On the iPhone, open the “Settings” app and navigate to the Wi-Fi page. Once there, edit the settings for the wireless network you are currently connected to (this needs to be the same network where your proxy is running). To do this, click the little blue arrow on the right side of the screen.

Configure Local Proxy on iPhone

Now, scroll all the way to the bottom of the settings page and change the “HTTP Proxy”setting to manual. Enter the IP address and port number of your Paros Proxy.

Configure Local Proxy on iPhone Step 2

All set! Now all web traffic to and from the iPhone is routed through Paros. Let’s go see what we can see.

4) Using Paros

The main section of Paros is the “Request/Response/Trap.” As the iPhone talks through Paros to Internet sites, it will display the iPhone’s request and the server’s response. The “trap” functionality allows you to stop either the request or the response and view/modify it before sending it along to the recipient. Trapping is very cool, and why Paros is used for security auditing, but for our purposes we just want to see what is going on, so I won’t explain it any further.

For now, let’s see what happens when we fire up my iPhone’s “App Store” app:

In the bottom section of the screen is the history viewer. There we can see that my iPhone made 4 requests to different servers ( 3 GETs and 1 POST):

HTTP Log List in Paros

Highlighting the first GET in the history list shows its details. The iPhone’s HTTP request header looked like this:

HTTP Request in Paros

One noteworthy tidbit is that the iPhone is sending a custom header (X-Apple-Connection-Type) which tells the server that it is connected to WiFi. Next, let’s take a look at the server’s response:

HTTP Resonse in Paros

Wireless network, different from the wired computer network using many kinds of cables, is the new type of computer network that it doesn’t required any type of cable to connect the devices up. The industrial standard of the wireless networks has 802.11a, b, g, n wireless protocols.

Wireless Traffic Monitoring Requirements

To plan for wireless traffic monitoring, there are few thing to consider. It’s not hard and you just need to prepare something software and hardware.

1. Determine why and where to capture wireless traffic. To get quality wireless signal, try your best to get close to the object that you want to monitor wireless traffic from.
2. Install wireless monitoring software on your pc or laptop. You can find lots of wireless traffic sniffer tools on the web. And lots of them are freeware.
3. Prepare a wireless adapter. Some wireless monitor tools require specific wireless adapter or specific driver. So you may need to get one wireless adapter for your wireless traffic monitor software.
4. Get wireless security key for the wireless network if it uses encryption. It’s often that wireless networks implement encryption for security purposes. So you need the key for the wireless traffic monitor software to decode the wireless data.
   

   Wireless Traffic Monitoring

Wireless Traffic Monitoring Freeware

You must want to know what the best wireless traffic monitor software is on the web so you save your time to try them out one by one. When it comes to traffic monitoring, no matter for Ethernet or wireless networks, Wireshark, formerly known as Ethereal, is a full-featured, multi-platform and FREE network traffic monitor freeware. It’s a great choice for network debugging and network traffic monitoring because it’s able to decode each file of data in the packet as the RFC specifications. It also provides additional information about those protocols that are not always available in other sniffers making it quite simple to use with limited training. Of course you should be able to understand the protocols to get the full benefit of the sniffer output.

Additional Equipment for Wireless Traffic Monitoring

Because wireless traffic transmits in air, it’s helpful if you have better equipment to perform wireless traffic monitoring. Equipment that may be useful for wireless traffic monitoring includes:

1. a wireless network card supports 802.11a, b, g, n
2. an omni-directional antenna
3. a high-gain yagi directional antenna
4. pigtail cables for the yagi and omni-directional antenns
5. a USB GPS adapter

If you are interested in capturing network packets from a wired network, take a look at this post:
Where to Capture Packets with Packet Analyzer on Network.