Introduction

I hope you all know about sniffers, if not let me provide you with a brief introduction. The act of capturing packets that aren't necessarily meant for public viewing is called sniffing. Providing access to datalink layer for an application is a powerful feature that is available with most current OS.

Three common methods to access DataLink layer

1. BPF (BSD Packet Filter)
2. SRV4 DataLink Provider Interface(DLPI)
3. Linux (SOCK_PACKET) Interface

Unswitched Network

On an unswitched network, Ethernet packets pass through every device on the network.

Switched Network

In switched network devices are sent packets that are meant for them.Means no sniffing.

But there are clever ways to sniff. For that we need to look in the details of underlying protocols. One important detail is manipulating source address. There is no provision in TCP/IP protocol to ensure the source address of the machine. The act of forging asource address in a packet is known as Spoofing.

Spoffing is the first step in sniffing packets on a switched network.

Other two interesting details are found in ARP Protocol

(i) When ARP Reply comes in with an IP address that already exist in ARP cache, it overwrites it with new IP.
(ii) The system will accept an reply even if it didn't send out an ARP request.