Network Monitoring basics. Promiscuous Mode, Hubs and Switches

If you are familiar with network traffic analyzers operating principles and know what conditions should be met in order to use such applications successfully, you may skip this chapter.

Besides the fact that you can use LanDetective for monitoring your own Internet traffic, i.e. the traffic on the PC the program is running on, monitoring Internet traffic on other computers is yet more interesting ;)

While traffic monitoring on your own PC is rather a simple task, quite a bit of an effort could be necessary for capturing traffic on other computers on the network, as you can’t see their traffic by default.

So, to start the analysis of traffic on other computers on a network, you need to decide how you are going to provide the access to them. Further on, you will read about several possible ways to solving this problem. Note that suitability of one way or the other for you directly depends on the configuration of your local network (network topology) and the network equipment used.

Monitoring Internet Traffic in the Promiscuous Mode

As it was mentioned above, network traffic on other computers on your local network is inaccessible for you by default. The problem is that all network packets are addressed to somebody and if you are not the specified recipient of the packet, your network adapter must ignore it. But, in practice, from the very emersion of Ethernet most adapters have been able to accept packets even if those were not addressed to them. Just turn on the special – promiscuous – operating mode for your network adapter. In this mode, network adapter accepts all packets flowing within the network segment indiscriminately. In a hub-based network, it would be sufficient to switch the adapter to the promiscuous mode in order to get access to all traffic on the local network, because hub is a primitive device. When it has received a packet from some port, hub simply retransmits it to its other ports. Thus, it would be sufficient to just connect to any port on the hub to monitor Internet traffic passing though the hub.

Monitoring Internet Traffic in Switched Networks

These days, the majority of local networks are switch-based. Unlike a hub, a switch, when it has received a packet from some port, retransmits it only to one port, where the recipient computer is connected to it. Switches maintain a table of MAC addresses and ports associated with each of those addresses (Content Addressable Memory table). When it has received a packet, switch validates the recipient’s MAC address in the table and selects the matching port to route the packet to. Due to this feature, Internet monitoring with LanDetective may be limited – your adapter will accept only packets that are addressed to you explicitly, because the switch would prevent other packets from getting into your network segment. Note that switches were created not for cutting traffic monitoring opportunities but rather for minimizing network load and maximizing its bandwidth. Moreover, there are special managed switches available on the market (and they are widely spread), which on top of their common features have a special one – to simplify the operation of traffic analysis systems and Internet monitoring solutions. Thanks to this capability, a managed switch can be configured in a way that all packets passing through it would be replicated to a certain switch port. Different manufacturers call the function a different name: Port Mirroring, Switched Port Analyzer (SPAN), or Roving Analysis Port (RAP). If you are a happy owner of a managed switch, turn to the specification for your device to find out whether this feature is supported and how you can activate it. In order to start Internet monitoring after the activation of Port Mirroring, you will need to just connect to the specified switch port and use the promiscuous Capture mode in LanDetective.

Although managed switches possess such merits, unmanaged switches are still spread much wider (mostly due to their lower cost). In such case, if you would like to monitor Internet traffic, there are 2 ways to access traffic in a network built on unmanaged switches:

  1. Connect the managed switch or hub to the network segment of interest where you want to monitor Internet traffic (for example, before the router used for accessing the Internet)
  2. Use a software-based method for monitoring Internet traffic in the switched network. Keep on reading for more details about this method

Using ARP-Spoofing for Monitoring Internet Traffic in Switched Networks

As it was mentioned above, switch, being a connection point for network devices, retransmits data packets only to the ports that recipients of the data are connected to.

Managed switches can be configured in a way that packets would be replicated to a certain port. But what if unmanaged switches are used in the network or, if a switch configuration cannot be changed? Further on, you will find a brief description of a technique, which you could take advantage of to solve this problem in certain cases.

This technique is based on weaknesses of the ARP protocol. The ARP protocol is used in LAN for obtaining MAC addresses for corresponding host IP addresses. When a host on a local network exchanges data with a host on the Internet, the local host needs the MAC address of the router, and the router, in its turn, needs the MAC address of the local host. To obtain the MAC address, the unit sends a broadcast query to the network. The query contains the IP address, which the MAC address is required for. As the query is network-wide, all computers on the local network will receive it. Once have accepted such query, the operating system on each computer compares it with its own IP address and, if they match, sends the MAC address of its network adapter in response. To minimize the number of the ARP queries, the operating system uses cache – the so-called ARP table of IP/MAC pairs. The operating system issues an ARP query only if the sought MAC address is absent in the table. You can find more details on the ARP protocol on the Internet or in RFC 826.

The ARP-Spoofing technique is based on the fact that the ARP protocol does not provide any protection from possible MAC fraud. Only owner of the sought MAC address must reply to the broadcast query, but nothing prevents other computers in the network from replying to such query. Moreover, many operating systems would accept replies to ARP queries that they haven’t issued. All those factors together allow spoofing almost any host on a local network by giving it a false MAC address. For example, you could provide any host on the local network with a false router MAC address, and provide the router with a false MAC address of the local host. Now the host and the router, while communicating with one another, will be sending packets to the false MAC addresses. What does that mean? – It means that we can play a very interesting trick – use our own MAC address as the fraudulent one, and the switch will be sending packets from the local host and the router to us. But merely receiving the packets wouldn’t be enough. While receiving the packets, we also need to resend them between the router and the local host; otherwise, they wouldn’t be able to communicate with one another. That is the core of ARP-Spoofing – by providing a fraudulent MAC addresses, we embed between the computers on the local network. Particularly, to intercept Internet traffic, we can embed between the router and other computers.

LanDetective Internet Monitor makes ARP-Spoofing most simple and convenient. However, when using this technique for monitoring Internet traffic, you need to be aware of the following:

  1. Success in using ARP-Spoofing depends on the configuration (topology) of your network. The network and computers can be configured in a way that wouldn’t allow you to take advantage of ARP-Spoofing.
  2. Depending on your network configuration, ARP-Spoofing can cause problems with Internet access for other users on your network.
  3. Some firewalls treat the use of ARP-spoofing as network attack. And they will be right, as this technique is a kind of the Man-in-the-Middle (MitM) attack.

We recommend using ARP-Spoofing only as a last-ditch mean and only if you fully realize all possible side effects of using such technique.

Monitoring Internet Traffic in Wireless Networks (802.11)

Unlike with Ethernet adapters, the use of Wi-Fi adapters for monitoring Internet traffic is rather complicated. Everything gets caught up on how Wi-Fi support is implemented in the Windows operating system. The peculiarities of the implementation do not allow the standard Wi-Fi drivers to function in the promiscuous mode, although the Wi-Fi adapters are technically capable of accepting any packets (like their Ethernet kin). Due to this reason, certain solutions for wireless network traffic monitoring are based upon drivers specially designed for each supported Wi-Fi adapter. LanDetective Internet Monitor does not use any special drivers and can work with Wi-Fi adapters only in two modes:

  1. Monitoring your own Internet traffic, i.e. traffic on the computer the program is running on.
  2. Monitoring Internet traffic using the ARP-Spoofing technique. The technique was described earlier.