To illustrate how a packet sniffer works, first one must understand how a network hub
(as used in this example) works.
When network traffic
is sent from upstream
to a host attached to the hub, the hub re-transmits this data to all hosts on the hub. By default, the NIC
in a computer is not set to promiscuous mode
, in other words, unless the traffic is addressed to (a) broadcast or (b) specifically its address, it ignores it.
At this point, the packet sniffer can operate in one of two modes, it can sniff
only the traffic addressed to it, or it can enter promiscuous mode
and sniff all traffic recieved.
Since the most common use of packet sniffers is on college networks
, the obvious choice is to tell your packet sniffer of choice to enable promiscuous mode. At this point, you are now recieving a massive list of all network traffic
generated by everyone on your hub.
At most dorms
, this is a good 10+ people on a single network hub
, which enables the person running the sniffer to gather POP
passwords (generally unencrypted), as well as monitor AIM
conversations, keep track of what websites
everyone browses, etc.
And the packet sniffer is nice enough to sort by which IP address
each packet comes from, and filter based on protocol
This only covers the negative aspects of packet sniffers, however, and they have many legitimate reason
s such as testing to see if a NIC
is functioning properly, to ensure that workers in an office aren't cruising porn sites
on company time, etc.