Edx Network Security: Packet Sniffing

IP packets, which exist at layer three of the OSI model are encapsulated inside of layer two frames. On wired lens, they are ethernet frames. On wireless lens, they are 802.11 frames. In the context of capturing and analyzing network traffic, even though the lowest unit to analyze is the frame, it's still called packet sniffing. Every single bit -- all the ones and zeros that go in and out of a NIC can be seen and analyzed. There's an option to see them in true binary. Even hexadecimal. But, as humans, we prefer a format that is more intuitive. A packet sniffer implemented in software or hardware will not only intercept and log all the ones and zeros moving in and out of a nic, but show it to us, humans, in a human-readable format. In addition to binary and hexadecimal. All of the fields of every single frame, packet, segment, data gram, and upper layer data will be shown with their names. Along with their corresponding data values. For example, in the IP packet, source IP address -- 192.168.1.113. Destination IP address -- 192.168.1.107. We will see the content as they're listed in the RFC, or other specifications.
Packet sniffers can provide so much insight to network traffic.
    They can monitor data in motion -- serve as primary data source for day-to-day network monitoring and management.
    Monitor network usage, including internal and external users and systems.
    Gather and report network statistics.
    Verify adds, moves, and changes.
    Verify internal control system effectiveness in firewalls, access control lists, web filters, spam filters, and proxies.
    Document regulatory compliance through logging all perimeter and end point traffic.
    Monitor WAN Bandwidth utilization.
    Monitor WAN and endpoint security status.
    Analyze network problems.
    Debug client server communications.
    Debug network protocol implementations.
    Gain information for carrying out a network intrusion.
    Spy on other network users by eavesdropping on unencrypted data.
    Collect sensitive information, such as login details or user cookies, depending upon encryption being used.
    And, capture packets for subsequent playback in replay, man-in-the-middle, and packet injection attacks.
    Reverse engineer proprietary protocols used over the network.
    Detect network intrusion attempts.
    Detect network misuse by internal and external users.
    Filter suspect content from network traffic.
While encryption doesn't stop packet sniffers from seeing header fields, including source and destination MAC addresses that layer two source and destination IP addresses at layer three, and source and destination ports at layer four, the payloader data portion that's encrypted appears as gibberish to the packet sniffer. This is where SSL TLS encrypted data, versus plain text HTTP, comes into play. Modifying or injecting data into the packets would cause errors that would be obvious when the decryption would be attempted at the other end.
A packet sniffer can only capture packet information within a given subnet or on a particular device's nic. An attacker can't place a packet sniffer on their network and capture network traffic from inside a corporate network. However, there are ways to hijack a system running on an internal network and make it packet sniff from a remote location. While there are a few dozen packet sniffers, some with specialized purposes, there is one that stands above the rest. From Wireshark's website. Wireshark is the world's foremost and widely used network protocol analyzer. It lets you see what's happening on your network at a microscopic level, and is the de facto, and also dejour standard, across many commercial and nonprofit enterprises, government agencies, and educational institutions. Wireshark development thrives, thanks to the volunteer contributions of networking experts around the globe, and is the continuation of a project started by Gerald Combs in 1998.