Unit 1: Packet Sniffing 1.1 Packet Sniffing Promiscuous Mode vs. Monitor Mode & Virtualization

>> When a frame enters a NIC, if the destination Mac address is not the NIC's Mac address,
a broadcast or a multicast, the NIC with drop the frame.

>>当帧进入NIC时，如果目的地Mac地址不是NIC的Mac地址、广播或多播，则网卡丢弃该帧。

Promiscuous mode is a mode for a wired or wireless NIC which causes the NIC
to pass all traffic it receives up the networking stack on a machine.

混杂模式是有线或无线网卡的一种模式，它使网卡通过它在机器上的网络堆栈上接收的所有流量。

Now, the NIC will accept and read frames
that have unicast addresses other than the NIC's Mac address.

现在，网卡将接受和读取除网卡的Mac地址以外的单播地址的帧。

Of course, on a switch network, promiscuous mode is not useful
since the switch will only send frames to ports associated with destination Mac addresses
as listed in the switches CAM, content addressable memory table,
also known as SAT, source address table.

当然，在交换网络中，混杂模式是没有用的，因为交换器只会将帧发送到与交换器CAM中列出的目标Mac地址相关联的端口，内容可寻址内存表，也称为SAT，源地址表。

The one exception is an unknown unicast when a switch doesn't know
which port a destination Mac address is associated with.

唯一的例外是，当交换机不知道目标Mac地址与哪个端口相关联时，会出现未知的单播。

The switch will flood the frame out of all ports except the port on which the frame originated.

这个开关将把帧从所有的端口溢出，除了帧的起始端口。

Normally, this won't be a problem because every data exchange should be preceded
by an ARP request and an ARP reply.

通常，这不是问题，因为每次数据交换之前都应该有一个ARP请求和一个ARP应答。

Which makes the communicating stations known to the switch before any data is transferred.

这使交换机在传输任何数据之前就知道通信站。

In a future unit, we'll explore an attack and mitigation
for actually seeing unknown unicasts contain data after the ARPs.

在未来的单元中，我们将探索一种攻击和缓解，以便在ARPs之后实际看到未知的单播包含数据。

On wi-fi networks with encryption using WPA Two, by default, packets to
or from other hosts will not be able to be decrypted by the NIC.

在使用WPA进行加密的wi-fi网络上，默认情况下，来自其他主机的两个数据包将无法被NIC解密。

And will not be captured.

不会被俘虏。

So, promiscuous mode works the same as non-promiscuous mode.

所以，滥交模式和非滥交模式是一样的。

On wi-fi networks without encryption,
promiscuous mode works, as it does on wired networks.

在没有加密的wi-fi网络上，杂乱模式可以正常工作，就像在有线网络上一样。

Allowing NICs to read traffic with unicast addresses other than the NIC's Mac address.

允许网卡使用除网卡的Mac地址以外的单播地址读取流量。

Monitor mode also allows a device with a wireless NIC
to monitor all traffic received from a wireless network.

监视模式还允许具有无线网卡的设备监视从无线网络接收的所有流量。

The big difference between promiscuous mode and monitor mode is that monitor mode allows packets
to be captured without having to associate with a wireless access point first.

混杂模式和监视模式之间的最大区别是，监视模式允许在不首先与无线接入点关联的情况下捕获数据包。

Another difference is that monitor mode only applies
to wireless networks while promiscuous mode can be used on both wired and wireless networks.

另一个区别是，监控模式只适用于无线网络，而混杂模式可用于有线和无线网络。

Monitor mode is like listening to people's conversations as you walk across the RIT campus.

监控模式就像你走过RIT校园时听到人们的谈话。

Promiscuous mode is like sitting down with a bunch of people at a table, at a restaurant.

滥交模式就像和一群人坐在一张桌子上，在餐馆里。

You can hear conversations between other people at the same table.

你可以听到同桌人之间的对话。

Each client on a WPA Two, PSK infrastructure has their own handshake.

在WPA Two上，PSK基础架构上的每个客户机都有自己的握手。

So, by default, you won't be able to monitor any traffic accept your own on an encrypted network.

因此，默认情况下，您将无法在加密的网络上监视接受您自己的流量。

However, if you know the preshared key and capture their handshake,
you can decrypt their whole session.

但是，如果您知道预共享密钥并捕获它们的握手，则可以解密它们的整个会话。

In order for Wireshark to decrypt WPA Two traffic, this also applies to WPA,
it must capture an extensible authentication protocol over LAN,
EAPoL, eight O two dot one x handshake.

Wireshark要解密WPA的两个通信流，这也适用于WPA，它必须捕获一个可扩展的身份验证协议，通过LAN、EAPoL、8o 2 . 1 x握手。

This EAPoL handshake is a four way handshake used by WPA and WPA Two
to setup keys use encrypting traffic between the client and the WAP.

这种EAPoL握手是WPA使用的四种方式握手，WPA 2用于设置密钥，使用加密客户机和WAP之间的通信。

Using Aireplay-ng, a packet injector tool in the aircrack-ng suite,
a simple command can send a deauthentication broadcast to all clients associated
with the WAP causing them to reassociate.

使用aircrack-ng套件中的包注入器工具Aireplay-ng，一个简单的命令就可以向与WAP关联的所有客户机发送去身份验证广播，使它们重新关联。

Wireshark can then capture the EAPoL four way handshake.

Wireshark可以捕捉EAPoL四向握手。

Once this is done, Wireshark immediately begins decrypting packets and allows you
to see everything that is going on in your wi-fi network.

一旦完成，Wireshark立即开始解密数据包，并允许您查看wi-fi网络中的所有内容。

The packet sniffer is passive.

包嗅探器是被动的。

Simply capturing packets travelling in and out of the NIC it is monitoring.

简单地捕获进出它所监视的NIC的数据包。

But there are techniques to identify network interfaces that are running in promiscuous mode
which would indicated a rogue packet sniffer.

但是，有一些技术可以识别在混杂模式下运行的网络接口，这表明存在恶意包嗅探器。

 

转载于:https://www.cnblogs.com/sec875/articles/10015861.html