Wednesday, September 26, 2007

Wireless Packet Sniffers

A packet sniffer is basically a computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams travel back and forth over the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate specifications. It is also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer. Sniffing programs have been around for a long time in two forms. Commercial packet sniffers are used to help maintain networks. Underground packet sniffers are used to break into computers.

The packet sniffers can be used to:
  • Analyze network problems.
  • Detect network intrusion attempts.
  • Gain information for effecting a network intrusion.
  • Monitor network usage.
  • Gather and report network statistics.
  • Filter suspect content from network traffic.
  • Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)
  • Reverse engineer protocols used over the network.
  • Debug client/server communications.
  • Debug network protocol implementations.
Wireless Sniffers
More and more wireless sniffer's are becoming available. The first question dealing with wireless sniffing is the signaling. This wireless standard uses "spread spectrum" technology. It allows many users to share the same spectrum like cellular. CDMA uses spread spectrum, where each "code" (code division multiplexing) determines the sequence used to "spread" the signal. So, in theory, spread-spectrum makes it impossible to eavesdrop. The eavesdropper would need to know the "spreading" function used.

Spread-spectrum technology came out of the cold war as a way of sending signals that were near impossible to eavesdrop on. The theory is that an eavesdroppper only hears whitenoise, and that even proving there is a signal could be difficult. However, it is assumed that we could securily communicate the "spreading function" to both the transmitter and receiver. This isn't reasonable in consumer-grade products that we'll be buying. The keys will be distributed manually. Moreover, there aren't that many keys. The upshot is that spread-spectrum has little impact as an anti-sniffing countermeasure. Data encryption in the communication will make sniffing difficult, but not impossible.

A few Sniffers available...

AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

Airosniff can be used to assist in the identification of wireless networks by sniffing SSIDs. Airosniff, for the Cisco Aironet card allows one to seek out wireless networks, auto-config the card for sniffing and perform access point vendor identification.

Ethereal is a GUI sniffer which understands 802.11b frames. Unfortunately right now the only way to get wireless frames into Ethereal is to use Linux 2.4.6 (or custom patches to 2.2.19) or the latest bleeding edge FreeBSD and patches to Libpcap and BPF.

Wavemon is a text-mode wireless utility. It shows all the iwconfig info in a screen that refreshes itself. It also has a histogram of signal strength and a list of in-range APs.

Grasshopper is a handheld, wireless receiver designed specifically for sweeping and optimizing Local Area Networks. The instrument measures coverage of direct sequence CDMA networks which operate on the IEEE 802.11b standard allowing the user to measure and determine the AP (AccessPoint), PER (Packet Error Rate) and RSSI signal levels aiding in locating the hub and access points throughout a building. Grasshopper detects and differentiates from narrow-band multipath interferences such as microwave ovens and frequency hopping systems and features a built-in display, keypad and removable battery pack for true portability.