Sniffers monitor and record raw data that passes through, over, or by a physical network interface. They operate from a core part of a system’s networking stack, close to the hardware drivers that translate electrical impulses from a wired (or wireless) connection into packets. For example, a sniffer might tell an Ethernet interface to dump all traffic it sees rather than just watch for traffic addressed to the device’s address. Network interfaces are supposed to have a unique identifier tied to the device’s hardware. This identifier is the Media Access Control (MAC) address assigned to every interface. A device’s IP address may change depending on what network it’s connected to. For example, a laptop might have IP address 10.0.1.12 on a home network, 10.10.33.19 at a coffee shop, and 192.168.17.33 at work. Its MAC address remains the same across each network because the hardware hasn’t changed. Devices use the MAC address to negotiate data link layer connections. These are the connections that devices use to transfer higher-level protocols like TCP/IP. In order to join a network, a device broadcasts its MAC address, indicating that it wishes to communicate with someone. A router, access point, or similar device responds, letting the joining device know its own MAC address, then giving it any additional information needed (such as an IP address). All of the devices within a local network proximity may be able to see each other’s traffic. However, their interfaces are configured by default to ignore traffic that is not addressed to their own MAC address. This way networks do not become overly congested and devices do not become overwhelmed by responding to traffic that they don’t need to deal with. A network sniffer watches for all traffic visible to the network interface, whether it’s destined for the host device or not. Sniffers have acquired a kind of mystical reputation for being able to break network security. Everyone’s heard of them and is aware of their power, but many people outside the network security community think that sniffers are black magic used only by hackers, thieves, and other hoodlums. In fact, sniffers are just another useful tool for system and network administrators. The first sniffers were used to debug networks, not hack into them. While they can be used in the unauthorized capture of information and passwords, they can also diagnose network problems or pinpoint failures in an IP connection. One way to limit the impact of sniffers is to employ encrypted channels for communicating with services. It’s now rare to find telnet services (an unencrypted protocol for remote system administration) because telnet has been replaced by the superior Secure Shell (SSH) that uses encryption. HTTPS has become more predominant as protection for users who log in to web sites, although significant problems remain with the design and implementation of HTTPS for web sites. Other unencrypted services can be tunneled within other protocols like IPSec or wrapped by the point-to-point encryption of Virtual Private Networks (VPNs). Sniffers are effective debugging tools and equally effective hacking tools. Using one can be the equivalent of tapping someone’s phone, bugging someone’s room, or simply eavesdropping on the table next to you in a restaurant. If you are concerned about keeping your data confidential—a legitimate concern—then don’t transmit it over unencrypted channels. (You can’t rely on HTTPS to be present because many web developers have been too slow to modify their sites.) A sniffer must have network visibility to the target traffic stream. This entails local proximity to one side of the communication or its path. Zero proximity would be on one of the end points itself, in which case the sniffer probably wouldn’t even need privileged access to operate. Local proximity can be obtained on a LAN by being connected to the same networking hub as the targeted end point. Local proximity on a wireless network requires being able to receive signals from the target’s wireless access point. A sniffer present anywhere on the communication channel is able to monitor traffic. It’s usually easier to gain proximity to a host, especially in wireless environments. But any networking device through which the traffic passes may copy, inspect, or modify data. This would be anything from small-scale Internet service providers to the infamous Great Firewall of China. Visibility to traffic does not convey understanding of traffic. While it’s possible to monitor an encrypted channel, there’s no guarantee that intelligible communications may be extracted from it. However, there are many perils that developers fall into when designing and implementing an encrypted channel. We’ll look at how some kinds of mistakes can be leveraged by hackers.