Sniffing Networks – Part 1 – 802.3 and MAC addresses

Posted onFebruary 3, 2009 Edit on by Laura Raderman

First, what is network sniffing? It’s listening to the bits on the wire (or in the air) that are sent between computer systems. Really, it’s all 1s and 0s that are sent in a particular format. That particular format is usually “Ethernet” or 802.3, but can also be 802.11 (wireless) or single/multi-mode fiber. There are ways of sniffing by “vampiring” the physical wires, but we’re going to start a step above that and assume you have a computer that can already connect to the network somehow.

A basic introduction to how 802.3 works would be useful, so here we go. Because of the way Ethernet works, the machines on the network have to take turns transmitting or their transmissions will interfere with each other. There’s one signal that is sent out first to see if the wire is clear. If it is, then that machine starts sending its data. If not, an exponential back off timer starts, and the machine asks again once that timer goes off. As long as the wire is shared, every single machine on that wire can hear what every other machine is sending. You now see how easy it is to listen in on other conversations 🙂 Hubs and repeaters are considered part of the same physical wire. All they do is boost the signal and rebroadcast to all their other ports. Switches are one step above that and place a physical barrier between network segments. They don’t indiscriminately rebroadcast to all of their ports. They just re-broadcast to the one port that has the destination machine. How do they do that, as in how do they know what port to broadcast on? That’s where MAC addresses come in – Media Access Control. These addresses are (supposed to be) unique for every single network connected system manufactured. In practice – not so much, although it’s generally “good enough” – except when you ship an entire box full of Ethernet cards to a university, and they all have the exact same MAC address…

The MAC address is sent with every single packet that is sent on the wire. The switch remembers which ports have what MAC address (and so do a lot of machines). This is stored in a table on the switch – with a limited amount of memory. If the switch gets overloaded, it will tend to revert to hub operation – rebroadcasting to all ports. One packet at least will be broadcast to all ports until the switch knows what port a specific MAC address is on. In normal operation (i.e., not *trying* to break the switch) and with a properly planned network, the switch has enough memory to maintain the table for the number of ports it has (and the bandwidth it’s expected to provide). However, what if there is a hub connected to the switch? That means X more MAC addresses the switch has to remember above and beyond the number of ports that it has. There used to be a rule of thumb – never have more than 3 hubs/switches connected together. This was part of the reason. You’d see degraded network performance because the MAC table couldn’t keep up (it also had to do with the physical limitation on Ethernet cable lengths).

So, you now have a switch, and if you don’t happen to be on the port that the packets are being sent to, you can’t “hear” their communication. But, if you “break” the switch and make it revert to broadcasting to everyone, you can “hear” the traffic. Another way to “break” the switch is to keep telling the switch that you are the destination’s MAC address, and the switch will start rerouting everything to you instead. If you want to sniff something useful, you’d better be prepared to keep routing the traffic to the “real” machine (and not through the switch you just “broke”), or you won’t get very far.

Most of this applies to wireless networks as well, although they use a slightly different method of telling other systems that they want to transmit.

For anyone who wants to delve more in-depth on how Ethernet works, the Ethernet Wikipedia page has a good discussion, and any good college textbook on networking will discuss Ethernet and several other technologies as well.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

6 thoughts on “Sniffing Networks – Part 1 – 802.3 and MAC addresses

  1. Pingback: Security Musings » Blog Archive » Sniffing Networks Part 3 - Understanding what you’re seeing
  2. Pingback: Security Musings » Blog Archive » Sniffing Networks Part 2 - MAC addresses, IP addresses, and ARP
  3. Pingback: Security Musings » Blog Archive » Sniffing Networks Part 4: Dsniff and Cain & Abel
  4. Pingback: Security Musings » Blog Archive » Using Colasoft Capsa
  5. ryan@lan says:
    March 6, 2010 at 7:45 am

    Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?

  6. Daud P1 says:
    March 14, 2010 at 12:28 pm

    I feel this write-up is really interesting. I am really interested in reading a lot more.

Comments are closed.