LESSON 7 ATTACK ANALYSIS part IV

7.2.3 Sniffing Other Computers
Some of you, having looked at the information in this section – and having looked at the data
that can be recorded by Ethereal, may be wondering about the possibilities of using packet
sniffing software to record activity on other people's computers. Is this possible?
Yes – and no. It's called promiscuous mode and it allows a packet sniffer to monitor network
activity for all computers on a network. This means that you might be able to record network
activity on another computer that is in your own network (depending on the way that the
hardware is set up), but you can't pick any one computer at random and magically sniff their
data – the two computers must be physically connected, and the hardware and software
must be properly configured.

7.2.4 Intrusion Detection Systems
You've probably realized that, to use a packet sniffer to detect unauthorized activity in real
time, would require you to sit at your computer, watching the output of the packet sniffer
and desperately hoping to see some kind of pattern. An intrusion detection system performs

this task for you. These programs combine the ability to record network activity with sets of
rules that allow them to flag unauthorized activity and generate real-time warnings.

 

7.2.3 窃取其他电脑的信息

可能你们读过这部分的内容---读过Ethereal上记录的数据，就会想是否能够用数据包窃取软件来记录他人电脑的行为。这可能吗？

又可能又不可能。这种方式叫做混合模式，它通过截取数据包来监控网络中电脑的行为。这意味着你能够记录和你用同一网络的电脑的网络行为（主要依据软件安装的方式），但你不能随意的选择任何电脑，然后截取他们的数据--只有当这两个电脑物理上相连，硬件和软件配置一样的时候才能窃取对方电脑上的数据。

 

7.2.4 入侵监测系统

你现在知道要用一个数据包拦截器来监测非法行为，需要你坐在电脑前，望着数据包拦截器的输出，然后希望看出什么出来。一个入侵监测系统可以做这些工作。这些软件将记录网络行为的能力与标记非法行为并发出实时警告结合起来。

 

Exercises:
1. Open Ethereal and start a live capture. Now open your web browser and look for a plain
text document to download. Download and save the text file to your hard drive, then close
the web browser and end the capture session in Ethereal. Look through the packets captured
by Ethereal, paying close attention to the ASCII dump in the bottom pane. What do you see?
If you have access to an email account, try checking your email while Ethereal is performing
a capture. What do you see there?
2. Open Ethereal. On the Capture Options Screen, make sure that the box marked “Capture
packets in promiscuous mode” is checked. This option may allow you to capture packets
directed to or coming from other computers. Begin the capture and see what happens. Do
you see any traffic that is intended for a computer other than yours?
What do you know about the hardware that connects your computer to the network? Does it
connect to the other computers through a switch, a router or a hub? Go to a web search
engine and try to find out which piece or pieces of hardware would make it most difficult to
capture packets from other computers. What hardware would make it easiest?
3. Go to www.snort.org, or use a web search engine to research intrusion detection systems.
How are they different from firewalls? What do they have in common with packet sniffers?
What kinds of unauthorized activity can they detect? What kinds of activity might they be
unable to detect?

练习：

1、运行Ethereal，开始实时拦截。现在打开网页浏览器，下载一个普通的文本文档。下载并将该文档保存到硬件里面，然后关闭网页浏览器，结束Ethereal的拦截程序。查看Ethereal拦截的数据，注意最底下窗口中的ASCII码。你发现了什么？如果你能登陆一个电子邮件账号，当Ethereal运行的时候打开邮箱，你又会看到什么呢？

2、运行Ethereal，在拦截选项窗口中，确定“Capture packets in promiscuous mode”已被选择。这一选项能让你拦截传送到其他电脑上的数据或者是从其它电脑上来的数据。开始拦截看看发生了什么。有没有发现来自其它电脑上的数据流。

你知道将你的电脑连接到网络上的网络吗？它是通过一个交换机、一个路由器还是一个交换器连接到网络上的？在网页搜索引擎上那种硬件连接方式最难拦截其它电脑的数据。哪种硬件会使之变得容易？

3、登陆www.snort.org,或者用搜索引擎搜索入侵检测系统。他们和防火墙有什么区别？他们和数据包窃取器有什么相同点？他们能监测哪些非法行为？那种网络行为可能监测不到？