Network sniffing is
|“||a passive technique that monitors network communication, decodes protocols, and examines headers and payloads to flag information of interest. Besides being used as a review technique, network sniffing can also be used as a target identification and analysis technique.||”|
Reasons for using network sniffing include the following:
- Capturing and replaying network traffic
- Performing passive network discovery (e.g., identifying active devices on the network)
- Identifying operating systems, applications, services, and protocols, including unsecured (e.g., telnet) and unauthorized (e.g., peer-to-peer file sharing) protocols
- Identifying unauthorized and inappropriate activities, such as the unencrypted transmission of sensitive information
- Collecting information, such as unencrypted usernames and passwords.
Network sniffing has little impact on systems and networks, with the most noticeable impact being on bandwidth or computing power utilization. The sniffer — the tool used to conduct network sniffing — requires a means to connect to the network, such as a hub, tap, or switch with port spanning.
One limitation to network sniffing is the use of encryption. Many attackers take advantage of encryption to hide their activities — while assessors can see that communication is taking place, they are unable to view the contents. Another limitation is that a network sniffer is only able to sniff the traffic of the local segment where it is installed.