A sniffing attack is a process of illicitly capturing and decoding data packets that pass through a network. This type of attack is normally used to harvest banking information, login credentials or to perform identity theft. The Network Interface Card (NIC) that is installed on most computers is set by default to ignore traffic that is not addressed to it. Sniffing attacks involve turning the NIC to promiscuous mode, which enables the NIC to receive any and all traffic on the network. System administrators will do this to troubleshoot or analyze a network, while criminals abuse this technique to perform attacks. By decoding the information captured by sniffing, attackers can read all traffic on the network. There are two types of sniffing – active and passing:
- Active sniffing involves injecting address resolution protocols (ARPs) into a network to flood the switch content address memory (CAM) table, which redirects legitimate traffic to ports that the attacker controls to sniff the traffic. The CAM table on a switch has limited memory to keep track of which computers are connected to each port of the switch; when the memory fills up, the switch has to start sending all network traffic to all ports.
- Passive sniffing involves only listening and is implemented in networks connected by hubs, which send all network traffic to all hosts by default.