Packet capture refers to seizing a data packet that is traveling to or from a specific computer network. When a packet is “captured,” it is stored temporarily for analysis. It is inspected to diagnose and solve network problems and determine if its structure follows network security policies.
Hackers or threat actors use packet capturing techniques to steal data transmitted over a network.
You can liken packet capturing to an airport’s passenger entrance security protocol. Pieces of baggage and passengers go through a stringent check to make sure they don’t contain or aren’t carrying any forbidden items that can cause any damage to anyone or the establishment itself.
Read More about “Packet Capture”
Packet Capturing Tools
An enterprise can use any of the following devices to capture packets in its network:
A point-to-point networking device that repeats a packet on every connected system except the one that transmitted it. All computers connected to a hub can see each other’s traffic.
Switched port analyzer (SPAN) port
Used for port mirroring (where a switch sends all networks packet copies seen on one port or an entire virtual local area network [VLAN] to another port where they can be analyzed) and port monitoring (long-term monitoring of the ports in a network).
Short for “test access port,” is specifically designed to monitor applications. It creates permanent access ports for passive monitoring and so sits between any two connected devices like a router or firewall, two enterprise switches, or a host and an access switch.
Inline device is a specialized server or hardware that is more flexible and complex than a hub, SPAN port, or tap. Unlike the three systems above, an inline device is not a full-fledged computer that runs a general-purpose operating system (OS). It is specifically built to collect or manipulate traffic as it passes through.
Packet Capture Uses
Packet capturing, except for wireless local area networks (WLANs), serves many purposes, including:
- Security: Allows identifying security flaws and breaches by determining intrusion points.
- Data leakage identification: Done through content analysis and monitoring to ascertain actual leakage points and threat sources.
- Troubleshooting: Detect undesired events and resolve them. Network administrators that have full access to network resources can access them remotely to troubleshoot issues.
- Data/Packet loss identification: Stolen or lost data can be retrieved using different data capturing techniques.
- Forensics: Malware detection involves determining the extent of the problem. After initial analysis, security teams may block network traffic to save related historical information and network data.
Methods to Collect Traffic in Wireless Local Area Networks
As has been said, the packet capture applications above may not work on WLANs. Capturing packets in a WLAN, however, can be done via:
- Active participation: Uses a sensor near a wireless access point (WAP) that joins an infrastructure mode WLAN that has access to all traffic seen by the WAP. If Wired Equivalent Privacy (WEP) or other means of wireless traffic encryption is used, the sensor must be configured with the keys to participate in the WLAN. Traffic captured through this method looks like wired Ethernet traffic to the sensor.
- Passive participation: Uses sensors that collect wireless traffic in a completely passive manner. These should not join the WLAN to see all of the control and data traffic that passes between the WAP and clients. They will not see packet content, though, if encryption is used.
- Monitoring on the WAP: It’s possible to collect traffic directly on the WAP itself, which is the case if the WAP is an in-house product built with a general-purpose OS.
As shown in this post, packet capturing works for both network administrators and hackers.