嗅探器和网络监听器外文翻译 - 图文

译文标题 原文标题 作 者 原文出处 嗅探器和网络监听器 Packet sniffers and Network Monitors Jim S.Tiller and Bryan D.fish 译 名 吉姆和布莱恩 国 籍 美国 Information Systems Security 嗅探器和网络监视器 通信产生于各种形式，范围从简单的语音通话，到复杂的光线操作。每个类型的通信是基于两个基本原则：波浪理论和粒子理论。从本质上讲，通信可以建立在其中任一种理论之上，经常在演唱会，用载体或媒体来实现信息传播。一个例子是人类的声音。波通信使用空气作为信号承载介质的结果是，两个人可以互相交谈。但是，大气是一种常见的媒介，任何人接近，足以收到相同的波可以监听和暗中听取讨论。对于计算机通信，过程更加复杂;当数据从一点传播到另一点的过程中，媒介和类型可能会改变多次。尽管如此，计算机通信很容易被攻击，在用同样的方式时会话可以被监听：随着通信的建立，一些关于通信可达性的缺陷会以这样或那样的形式存在。截取通讯的能力，取决于通信的类型和租用的媒介，考虑到合适时间、资源和环境条件，任何通信——除了租用媒介类型的通信都可以被截获。 在计算机通信领域，嗅探器和网络监视器的境界是两种具有远程截获数据功能的工具。，在分析网络工作活动中由一个合法的管理员操作网络监视器是非常有用的。通过分析截获的通信的各种属性，管理员可以收集用于诊断或检测网络的性能问题的信息。这样的工具可以被用来隔离路由器、网络设备、系统和普通的网络活动的配置不当的错误，来辅助网络设计的决定方案。在黑暗的对比下，嗅探器可以是一个强大的工具，它使攻击者从网络通信中获得信息。密码、电子邮件、文件、实现某种功能的程序和应用信息只是嗅探器能够获得的信息中的几个例子。擅自使用网络嗅探器、分析仪或监听器表明了对于信息安全的一种基本风险。 这是一个有两部分的文章。第一部分介绍了计算机网络环境下的数据截取的概念。它提供了一个了解和识别那些容易被窃听的会话的特性基础。第二部分提出了为评估这些缺陷的严重性的方法。接着讨论了真实世界中会话窃听过程的例子，首先，本文主要解决了关于数据窃听方面的一些令人难以置信的安全隐患和威胁拦截。最后，它提出了一种关于减弱各种通信缺陷的风险的技术。 嗅探器功能 网络监视和嗅探器具有相同的性质，事实上这两个术语经常交换使用。然而，在许多领域中，网络监视器是一个设备或系统来收集有关网络的统计数字。虽然

1

通信的内容是可以解释的，但是当用各种测量和统计数据代替后它往往被忽略了。这些标准是用来审议网络基本安全的。 另一方面，嗅探器是用来收集来自各种不同形式通信数据的系统或装置，它最简单的用途就是获得数据和通信模式，这种功能可以被一些不为人知的目的所利用。为了减少任何解释的问题，嗅探器最好与数据窃听的安全方面解释这个整体的目标相符合。 嗅探器的本质是相当简单的。嗅探器和他们能力的变化是由网络拓扑结构、介质类型、接入点决定的。嗅探器只是收集他们容易得到的数据。如果它被放置在网络的正确区域，他们可以收集非常敏感类型的数据。根据拓扑和实现的复杂程度来看，嗅探器收集数据的能力可能会有所不同，并且这种能力根本上是由通信介质控制的。 对于计算机通信来说，嗅探器可以存在于网络中的关键点上，如网关，允许它收集来自几个区域共同使用该网关的信息。另外，一个嗅探器可以放置在一个单一的系统，收集只涉及那个系统的特定信息。 拓扑结构，媒体，位置 网络拓扑有几种不同的形式，每种形式用不同的介质实现物理通信。异步转移模式（ATM）、以太网、令牌环和X.25是常见的网络拓扑结构，用于控制数据传输。每一种形式都用一些被称作帧或单元的数据包来代表容易管理的通信部分。 同轴电缆、光纤、双绞线和微波是几种计算机通信介质，可以提供特定的拓扑结构来传输的数据单元。 嗅探器的位置是收集到的信息的数量和类型的决定性因素。位置的重要性是和网络拓扑结构与正在使用的媒介相关的。拓扑结构定义了网络系统的逻辑组织，和数据在他们之间是如何协商的。被利用的媒介可以在仅仅基于位置决定的环境中发挥作用。这个逻辑推理的一个基本例子是一个简单的以太网网络通过多个楼层连接到互联网。通常使用的电缆线、光纤、电缆可用于连接各楼层，可能使用令牌环网的拓扑结构。最后，连接互联网的串行连接线使用V.35电缆组成。使用这一推论，放置在互联网路由器上具有串行通信能力的嗅探器（逻辑上和物理上），可以在互联网上收集每一个数据包。 如果可以访问令牌环网，在各个楼层间收集所有的数据也是可行的。 理解位置和环境拓扑关系是必要的，这可以通过媒介发生影响。正在使用的介质在各种情况下是相关的，但本质上是和位置相关。表1解释了嗅探器位置之间的图形格式，拓扑结构，和正在使用的介质。 在轴线左侧的不同距离处有三个水桶。水桶A，距离轴线最远，代表嗅探器位置的重要性。因此，水桶A具有最大的影响力。几乎同样重要的是拓扑结构，由水桶B代表。最接近轴线的轴点，也是三个轴点中最不重要的，由水桶C代表。

2

和其他两个水桶相比，水桶C在计算方面有最小的影响力。 添加到水桶的重量类似于它代表的特征价值。由于位置，拓扑结构，或媒介增加的困难性，更多的重量添加到桶中。例如，如果CAT5是可用介质那么媒介桶C可能是空的。CAT5的共性代表一个简单的水平。然而，如果一个串行电缆相交，大型环境中的可用媒介是有限的。因此，水桶可能是满的。由于每个地区的复杂程度被放大，更多的重量添加到相应的桶，增加攻击的复杂性，但增强攻击的有效性。 这个例子传达这些关键变量和嗅探器收集的信息之间的关系。随着进一步的研究，在一定程度下，环绕滑杆移动水桶从而使改变各个水桶的影响变为可能。 嗅探器工作原理 正如人们所想象的，嗅探器的形式几乎有无限种，由于每种形式都必须以不同的方式工作，从目标介质收集信息。例如，在微波发射塔收集数据中，为以太网设计的嗅探器就几乎无用。 然而，共同通信的安全隐患和漏洞数量似乎把重点放在标准的网络拓扑结构。通常情况下，以太网是局域网（LAN）的目标拓扑、串行通信是广域网（WAN）的目标拓扑。 以太网 典型的网络之间最常见的是以太网的拓扑结构，和IEEE 802.3，这两者都是基于相同的传播准则： 载波侦听多路访问（CSMA / CD的}技术。今天所使用的通信形式，以太网使用嗅探器是最容易引发安全漏洞的。主要有两个原因：安装基座和通信类型。 载波侦听多路访问技术（CSMA / CD）是类似于几个与会者的电话会议。每个人都有机会发言，不论参与者有话要说或者不说。在电话会议上，两个或更多的人在同一时间发言，在此期间很短的时间内，每个人都是沉默的，等着决定是否继续。一旦暂停，并有人开始不间断的发言，每个人都可以听到扬声器。为了完成类比，扬声器处理组中只有一个人，其名字确定在句子的开头。 在以太网环境中运作的计算机以相同的方式相互影响，当一个系统需要传输数据的时候，它需要在没有其他系统传输数据的情况下进行。在双信道中，两个系统可以同时传输数据，电信号在电缆上发生碰撞。这种碰撞迫使这两个系统为重发等待被破坏的时间量。其中一组系统参与有时也被称作一个冲突域，因为该段上所有系统都可以看到碰撞。此外，电话就像是电话会议与会者的共同媒介，物理网络是一个共享的媒介。因此，任何系统上的共享网段优于特定网段上的所有通信。 当数据穿过网络的时候，网络上的所有设备都可以侦测到这些数据，并对提供通信服务的数据产生特定的性能。嗅探器可以安装在网络上的关键位置，并检

3

查相同的数据流细节。 以太网基于物理地址（MAC），通常是48位指定的网络接口卡（NIC）。以太网是基于这个地址唯一标识。以太网接口，每一个以太网数据帧包含目的物理地址。当数据通过网络发送的时候，每一个基站都会检查数据帧。当一个基站接受到数据帧，它会检查看该帧的目的物理地址是否是它自己的。详细图表2，如果该目的网络地址被确认为系统帧中，数据即被接受和处理。如果不是该帧中的地址，即忽略和丢弃该帧。混杂模式。典型的嗅探器在混杂模式下运行。不论目的地在哪，混杂模式是网卡接受所有帧的一种状态。 物理地址的帧。进一步详述见表三。支持混杂模式的能力是一个以网卡作为嗅探器使用的先决条件，由于它捕获并保留通过网络的所有帧。 对基于软件的嗅探器来说，安装网卡必须支持混杂模式下捕获所有数据部分。如果基于软件的嗅探器和网卡不支持混杂模式，嗅探器只将收集的信息直接发送到它安装的系统上。发生这种情况，是因为该系统的网卡只保留自己的MAC地址的帧。 对于基于硬件的嗅探器来说—一专用设备，其唯一目的是收集所有的数据一—安装的网卡必须支持混杂模式才是有效的。在混杂模式下没有运行能力的基于硬件的嗅探器，就如没有参加正常网络通信的装置几乎是无用的。 广播地址的以太网一方面不知道系统的目的物理地址，或者需要与所有的网络系统进行通信。当一个系统仅仅注入其他每一个系统将运行的帧，广播即发生。广播的一个有趣的方面是：一个嗅探器可以在该模式下运作，并且从其他部分接收到广播。——虽然在通常情况下，这种信息不敏感，攻击者可以利用这些信息来获悉有关网络的其他更多信息。 广域网 广域网络通信的典型拓扑结构，传输介质和位置之间的关系，相比于同级别的访问。在一个典型的以太网环境中，房间角落中几乎任何一个网络插孔，可以提供足够权限的接入供网络嗅探器完成其工作。然而，对于一些基础设施，地点可以成为确定一个嗅探器有效性的关键因素。 广域网通信的拓扑结构要简单得多。作为一个联络点的设备，如路由器，处理数据，信息被放置到一个新的帧转发到相应的终点。因为所有的信息流量被传输到一个单一的数据流，设备的位置可以提供接入网络的活动：图表4显示了一个共同实施的广域网连接。但是，位置信息很敏感，不允许未授权访问。 嗅探器可以访问数据流的方法之一是通过一个探头。在一些通道服务单元/数据服务单元（CSU / DSU）的设备上，探针是一项可选功能。提供客户端设备（CPE）连接服务的设备，例如路由器，和分界点之间的连接串行线。如图表5所示，探头实施捕捉遍历CSU/DSU的所有帧。

4

嗅探器可以访问数据流的另一种方法是通过一个“Y”型电缆。“Y”型电缆连接于CSU / DSU和CPE之间。这是“Y”型电缆最常见的分布位置，是基于为供应商网络或令牌环网 提供实际连接服务的复杂性。在CSU/DSU和CPE之间，一个“Y”型电缆的功能等同于正常电缆。第三个连接器上的“Y”型电缆是免费的，并且可以连接到一个嗅探器。一旦一个“Y”型电缆安装固定，每帧电复制到嗅探器探头被吸收和处理的位置不同而不会受到原始数据流的干扰（见图表6）。和探针不同，连接有“Y”型电缆的嗅探器必须与使用中的拓扑结构相配置。空中通信可以提供几帧格式，包括点对点协议（PPP），高级数据链路控制（HDLC），和帧中继。一旦嗅探器的拓扑结构和帧格式配置，——以太网嗅探器被配置为以太网帧格式——如果能够收集数据通信流。其他通讯格式，通常的视线实现与微波通信。每个端点有一个清晰的，通畅的重点路径到达另一端。微波是一个强大的载体，可以精确聚焦，以减少未经授权的互动。然而，微波炉可以清洁各种碟子，或者干脆通过碟子本身。在这两种情况下，嗅探器可以放在后面一个端点微波菜肴以收到一些信号。在某些情况下，信号虽然可用，但是微弱，但它可以被放大后优先处理。 无线通信设备，如蜂窝电话或无线家庭电话，是非常容易受到拦截的。这些设备必须通过空气将信号传输到接收站。尽管接收站的位置是固定的，无线设备本身却是流动的。因此，信号的传输不依赖于视线，是因为像这种直接传输的信号在传递的过程中会经过不同的路径。因此，为了使无线设备可以和接收站通信，他们必须通过足够宽阔的空间去广播信号以确保传输线另一端将接受到信号。 因为信号的传输要通过广阔的空间，窃听者在可以接受信号的地方安放窃听装置将会遇到一些麻烦。 概要 网络嗅探器主要用来协助网络管理员分析和解决网络中存在的问题。这些设备利用电子通信的某些特性，以提供一个网络的观察视窗。这个视窗在网络流量细节方面给操作者提供了一个清晰地视角。 在攻击者的掌控下，网络嗅探器可以用来获悉多种不同类型的信息。该信息涉及的范围：从网络自身的运行特征，到使用网络的有关公司或个人的高度敏感信息。从基于嗅探器攻击所获悉的信息数量和重要性依赖于特定的网络特征和攻击者引进嗅探器的能力。媒介的类型、网络的拓扑结构以及嗅探器的位置是联合并决定由嗅探器检测到信息的数量和类型主要因素。 5

Packet sniffers and Network Monitors Jim S. Tiller, C1SSP and Bryan D. fish, CISSP Communications take place in forms that range from simple voice conversations to complicated manipulations of light. Each type of communication is based on two basic principles: wave theory and particle theory. In essence, communication can be established by the use of either, frequently in concert with a carrier or medium to provide transmission. An example is the human voice. The result of wave communications using the air as the signal-carrying medium is that two people can talk to each other. However, the atmosphere is a common medium, and anyone close enough to receive the same waves can intercept and surreptitiously listen to the discussion. For computer communications, the process is exponentially more complicated; the medium and type may change several times as the data is moved from one point to another. Nevertheless, computer communications are vulnerable in the same way that a conversation can be overheard: As communications are established，several vulnerabilities in the accessibility of the communication will exist in some form or another. The ability to intercept communications is governed by the type of communication and the medium that is employed. Given the proper time，resources, and environmental conditions, any Communication-regardless of the type or medium employed-can be intercepted. In the realm of computer communications, sniffers and network monitors are two tools that function by intercepting data far processing. Operated by a legitimate administrator, a network monitor can be extremely helpful in analyzing net-work activities. By analyzing various properties of the intercepted communications, an administrator can collect information used to diagnose or detect network performance issues. Such a tool can be used to isolate router problems, poorly configured network devices, system` errors, and general network activity to assist in the determination of network design. In dark contrast, a sniffer can be a powerful tool to enable an attacker to obtain information from network communications. Passwords, e-mail, documents, procedures for performing functions, and application information are only a few examples of the information obtainable with a sniffer. The unauthorized use of a network sniffer, analyzer, or monitor represents a fundamental risk to the security of information. This is an article in two parts. Part one introduces the concepts of data interception in the computer-networking environment. It provides a foundation for understanding and identifying those properties that make communications susceptible to interception. Part two addresses a means for evaluating the severity of such vulnerabilities. It goes on to discuss the process of communications interception with real-world examples. Primarily, this article addresses the incredible security implications and threats that surround the

6

issues of data interception. Finally, it presents techniques for mitigating the risks associated with the various vulnerabilities of communications. FUNCTIONAL ASPECTS OF SNIFFERS Network monitors and sniffers are equivalent in nature, and the terms are used interchangeably. In many circles, however, a network monitor is a device or system that collects statistics about the network. Although the content of the communication is available for interpretation, it is typically ignored in lieu of various measurements and statistics. These metrics are used to scrutinize the fundamental health of the network. On the other hand, a sniffer is a system or device that collects data from various forms of communications with the simple goal of obtaining the data and traffic patterns, which can be used for dark purposes. To alleviate any interpretation issues, the term sniffer best fits the overall goal of explaining the security aspects of data interception. The essence of a sniffer is quite simple; the variations of sniffers and their capabilities are determined by the network topology, Media type, and access point. Snifters simply collect data that is made available to them. If placed in the correct area of a network, they can collect very sensitive types of data. Their ability to collect data can vary depending on the topology and the complexity of the implementation, and is ultimately governed by the communications medium. For computer communications，a sniffer can exist on a crucial point of the network, such as a gateway, allowing it to collect information from several areas that use the gateway. Alternatively, a sniffer can be placed on a single system to collect specific information relative to that system only. Topologies, Media, and location There are several forms of network topologies, and each can use different media for physical communication. Asynchronous Transfer Mode (ATM), Ethernet, Token Ring, and X.2 5 are examples of common network topologies that are used to control the transmission of data. Each uses some form of data unit packaging that is referred to as a frame or cell, and represents a manageable portion of the communication. Coax, fiber, twisted-pair wire, and microwave are a few examples of computer communications media that can provide the foundation for the specific topology to transmit data units. The location of a sniffer is a defining factor in the amount and type of information collected. The importance of location is relative to the topology and media being used. The topology defines the logical organization of systems on a network and how data is negotiated between them. The medium being utilized can assist in determining the 7

environment simply based on its location. A basic example of this logical deduction is a simple Ethernet network spread across multiple floors in a building with a connection to the Internet. Ethernet is the topology at each floor and. typically uses CAT5 cabling. Fiber cables can be used to connect each floor, possibly using FDDI as the topology. Finally, the connections to the Internet typically consists of a serial connection using a V.35 cable. Using this deduction, it is safe to say that a sniffer with serial capabilities （logically and physically) placed at the Internet router can collect every packet to and from Internet. It is also feasible to collect-all the data between the floors if access to the FDDI network is obtained. It is necessary to understand the relationship of the topology to the location and the environment, which can be affected by the medium. The medium being used is relevant in various circumstances, but this is inherently related to the location. Exhibit 1 explains in graphical format the relationship between the location of the sniffer, the topology, and the medium being used. There are three buckets on the left of a scale at varying distances from the axis point, or moment. Bucket A, the furthest from the axis, represents the weight that the sniffer's location carries in the success of the attack acid the complexity of implementing a sniffer into the environment. Bucket A, therefore, provides greater leverage in the calculation of success relative to the difficulty of integration. Nearly equally important is the topology, represented by bucket B. Closer to the axis point, there the leverage is the least, is the medium represented by bucket C. Bucket C clearly has less impact on the calculation than the other two buckets. Adding weight to a bucket is analogous to changing the value of the characteristic it represents. As the difficulty of the location, topology, or medium increases, more weight is added to the bucket. For example, medium bucket C may be empty if CAT5 is the available medium. The commonality of CAT5 and the ease of interacting with it without detection represents a level of simplicity. However, if a serial cable is intersected, the odds of detection are high and the availability of the medium in a large environment is limited; therefore, the bucket may be full. As the sophistication of each area is amplified, more weight is added to the corresponding bucket, increasing the complexity of the attack but enhancing the effectiveness of the assault. This example attempts to convey the relationship between these key variables and the information collected by a sniffer. With further study, it is possible to move the buckets around on the bar to vary the impact each has on the scale. How Sniffers Work As one would imagine, there are virtually unlimited forms of sniffers; as each one 8

must work in a different way to collect information from the target medium. For example, a sniffer designed for Ethernet would be nearly useless in collecting data from microwave towers. However, the volume of security risks and vulnerabilities with common communications seems to focus on standard network topologies. Typically, Ethernet is the target topology for Local Area Networks (LANs) and serial is the target topology for Wide Area Networks (WANs). Ethernet Networks The most common among typical-networks are Ethernet topologies, and IEEE 802.3, both of which are based on the same principle of Carrier-Sensing Multiple Access with Collision Detection (CSMA/CD} technology. Of the forms of communication in use today, Ethernet is one of the most susceptible to security breaches by the use of a sniffer. This is true for two primary reasons: installation base and communication type. CSMA/CD is analogous to a conference call with several participants. Each person has the opportunity to speak if no one else is talking and if the participant has something to say. In the event two or more people on the conference call start talking at the same time, there is a short time during which everyone is silent, waiting to see whether to continue. Once the pause is over and someone starts talking without interruption, everyone on the call can hear tile speaker. To complete the analogy, the speaker is addressing only one individual in the group, and that individual is identified by name at the beginning of the sentence. Computers operating in an Ethernet environment interact in very much the same way. When a system needs to transmit data，it waits for an opportunity when no other system is transmitting. In the event two systems inject data onto the network at the same time, the electrical signals collide on the wire. This collision forces both systems to wait for an undermined amount of time before retransmitting. The segment in which a group of systems participates is sometimes referred to as a collision domain, because all of the systems on the segment see the collisions. Also, just as the telephone was a common medium for the conference call participants, the physical network is a shared medium. Therefore, any system on a shared network segment is privy to all of the communications on that particular segment. As data Traverses a network, all of the devices on the network can see the data and act on certain properties of that data to provide communication services. A sniffer can reside at key locations on that network and inspect the details of that same data stream. Ethernet is based on a Media Access Control (MAC) address, typically 48 bits assigned to the Network Interface Card (NIC）.This address uniquely identifies a particular. Ethernet interface. Every Ethernet data frame contains the destination station's

9

MAC address. As data is sent across the network, it is seen by every station on that segment. When a station receives a frame, it checks to see whether the destination MAC address of that frame is its own. As detailed in Exhibit 2, if the destination MAC address defined in the frame is that of the system, the data is absorbed and processed. If not, the frame is ignored and dropped. Promiscuous Mode A typical sniffer operates in promiscuous mode. Promiscuous mode is a state in which the NIC accepts all frames, regardless of the destination. MAC address of the frame. This is further detailed by Exhibit 3. The ability to support promiscuous mode is a prerequisite for a NIC to be used as a sniffer, as this allows it to capture and retain all of the frames that traverse the network. For software-based sniffers，the installed NIC must support promiscuous mode to capture all of the data on the segment. If a software-based sniffer is installed and the NIC does not support promiscuous mode, the sniffer will collect only information sent directly to the system on which it is installed. This happens because the system's N1C only retains frames with its own MAC address. For hardware-based sniffers-dedicated equipment whose sole purpose is to collect all data-the installed NIC must support promiscuous mode to be effective. The implementation of a hardware-based sniffer without the ability to operate in promiscuous mode would be nearly useless in-as-much as the device does not participate in normal network communications. There is an aspect of Ethernet that addresses the situation in which a system does not know the destination MAC address, or needs to communicate with all the systems of the network. A broadcast occurs when a system simply injects a frame that every other system will process. An interesting aspect of broadcasts is that a sniffer can operate in nonprorniscuous mode and still receive broadcasts from other segments-Although this information is typically not sensitive, an attacker can use the information to learn additional information about the network. Wide Area Networks. Wide area network communications typify the relationship between topology, transmission medium, and location as compared with the level of access. In a typical Ethernet environment, nearly any network jack in the corner of a room can provide adequate access to the network for the sniffer to do its job. However, in some infrastructures, location can be a crucial factor in determining the effectiveness of a sniffer. For WAN communications the topology is much simpler. As a focal point device, such as a router, processes data, the information is placed into a new frame and forwarded to a

10

本文来源：https://www.bwwdw.com/article/w0q2.html