Network Eavesdropping

Revision as of 16:47, 13 September 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.

ASDR Table of Contents


The Network Eavesdropping or network sniffing is a network layer attack consisting in capturing packets from the network transmitted by others computers and reading the data content in search of sensitive information like passwords, session token or yet any kind of confidential information.

The attack could be done using tools called network sniffers, these tools act collecting packets on the network and, depending on the quality of the tool, this could offer facilities to analyze the collected data like protocol decoders or stream reassembling.

Depending on the network context, to be the sniffing effective, some condition must be attended:

• Lan environment with HUBs

This is the ideal case because the hub is a network repeater that duplicates every network frame received to all ports. So the attack is very simples to be implemented because no other condition must be attended.

• Lan environment with switches

To be effective the eavesdropping a preliminary condition must be attended. Because a switch by default only transmit a frame to the port is necessary a mechanism that will duplicate or will redirect the network packets to evil system. For example to duplicate traffic to one port to another port is necessary to implement a special configuration on the switch. To redirect the traffic from one port to another it’s necessary a preliminary exploitation like the arp spoof attack. In this attack the evil system act like a router between the victim’s communication making, in this way, possible to sniff the exchanged packets.

• Wan environment

In this case to make a network sniff is necessary that the evil system became a router between the client server communications. One way to implement this exploit is done by a dns spoof attack to thr client system.

Network Eavesdropping is a passive attack very difficult to be discovered, it could be identified by the effect of the preliminary condition or, in some cases, by inducing the evil system to respond a fake request directed to the evil system IP but with the MAC address of a different system.

Risk Factors



When a network device called HUB is used on the Local Area Network topology, the Network Eavesdropping become easier, it´s because the device repeat all traffic received on one port to all other ports. Using a protocol analyzer, the attacker can capture all traffic on the LAN discovering sensitive information.


Figure 1. Local Eavesdropping attack.

Related Threat Agents


Related Attacks

Related Vulnerabilities

Related Controls