Network monitoring is a technology that uses the network interface of a computer to intercept data packets destined for a third-party computer. This technology can monitor the current traffic status of the network, the operation of network programs and illegal theft of confidential information transmitted in the network. In shared Ethernet, all communications are broadcast, that is, all network interfaces in the same network segment can access all data transmitted on physical media, and use ARP and RARP protocols for mutual conversion.
Under normal circumstances, a network interface should only respond to two kinds of data frames, the data frame matching its own hardware address and the broadcast data frame sent to all machines. In a practical system, data sending and receiving is completed by the network card. Each Ethernet card has a unique Ethernet address in the world. The Ethernet address is a 48 bit binary number. A datagram filter is built into the Ethernet card. The function of the packet filter is to retain the packets and broadcast packets with the MAC address of the network card as the communication purpose, and discard all other irrelevant packets, so as to avoid unnecessary processing of irrelevant packets by the CPU. This is the normal working mode of Ethernet card. In this mode, the Ethernet card will only transfer the relevant part of the received data packet to the local computer. However, packet filters can be disabled by programming. After disabling the packet filter, the network card will transfer all received packets upward, so the upper layer software can monitor the communication between other computers in the Ethernet. We call this working mode "hybrid mode". As shown in the following figure, it is applied in the shared hub network.
Another eavesdropping method is achieved by using ARP spoofing. ARP spoofing is also known as ARP redirection technology. Although ARP address resolution protocol is an efficient data link layer protocol, as a LAN protocol, it is based on mutual trust between hosts. Therefore, there are certain security problems:
- The host address mapping table is dynamically updated based on cache, which is the feature of ARP protocol and one of the security problems. Since the normal inter host MAC address refresh is time limited, the counterfeiter can impersonate if he successfully modifies the address cache on the attacked machine before the next update.
- ARP requests are sent by broadcast.
- Can be sent at will.
- ARP responses do not require authentication.
The "hybrid mode" of the network card makes it very easy to use the common network card as the network probe to realize network listening. On the one hand, it facilitates network management. On the other hand, ordinary users can easily listen to network communication, which is a great threat to the confidentiality of users' data communication. During data monitoring in this way, the network equipment is set to the hybrid mode at the nodes of the network to monitor and manage the network. Hackers use ARP to detect the network nodes in the hybrid mode and place hacker software at the nodes to eavesdrop.