Helping people with computers... one answer at a time.

We often hear that we need to protect ourselves from data sniffing, particularly at open WiFi hotspots. I'll look at what and how easy sniffing is.

I have read many articles on strangers/others sniffing on our network traffic or whatever we call it; in fact, it often appears in your newsletters. But what does it take to sniff on others network usage? How do people really do it? Do we need hacker tools or should we be a network geek or is it so simple that any Tom, Dick and Harry can do it? Somehow, I'm not able to understand how can others see what we are browsing on the internet right now. What does it mean when you say the 'unprotected data' is available for others to read it? I am not going to do anything illegal, I am just very curious!

It's very easy.

There's at least one tool that makes it easy to take over someone's social media connection if they happen to be logged in unprotected in an open WiFi hotspot.

Did I mention that it's easy? It's a Firefox browser add-on. If you can add an add-on, you can do this.

Other tools are typically fairly geeky, but they are well known and typically also free.

So with your laptop and free software, you too can start sniffing network traffic.

Caveat

You know I'm going to start this with a big old disclaimer: I am not advocating that you use these tools to do anything illegal or immoral. And, depending on where you are, simply firing up these tools and looking at data flying by might be considered illegal. You're totally on your own to understand the laws and implications in your area.

"The key to staying safe is, of course, encryption."

That being said, there are often very legitimate uses for what are called "packet sniffers" and as such, these tools are well known. While I'll definitely be vague about some of the the how-to steps, even if I went into it in detail, I wouldn't be revealing anything that isn't publicly available elsewhere.

Should you decide to do or learn more, please remember to use your skills for good, not evil. Smile

Firesheep

Firesheep is the browser add-on that I referred to earlier.

Firesheep uses a technique called "session hijacking" to ... well, hijack other people's sessions to many popular services.

The plugin works like this:

  • A user at an unencrypted, open Wifi hotspot has logged in to an online service. While the login step may have used encrypted https connections, the service reverts to unencrypted http for subsequent page views once logged in.

  • You launch Firesheep. In your browser, a list appears of any users, such as those that I've just described, that are also using the same unencrypted WiFi hotspot.

  • You click on the user's name on the list.

  • You are now logged in as them to whatever service it is that they were using.

Note: You did not get their password and you did not actually login as them. Firesheep hijacks an already logged in session and transfers to you the ability to "be" the logged in person.

And as that logged in person, you can do whatever that person might be able to do while logged in.

And yes, it really is that easy; install Firesheep (and possibly a required utility), run, and click.

Packet Sniffing

Let's step back for a moment and look at one aspect of how WiFi works.

WiFi is radio-based technology. What that means is that when your computer sends a packet of data to the wireless access point, that packet is actually broadcast, like radio, and any device capable of receiving that signal can receive and "see" the packet.

By definition, any laptop with WiFi capability is capable of receiving WiFi signals, so it is capable of seeing the packet. Each packet includes information indicating which specific device is the intended recipient and in general, WiFi devices ignore any packet that is not specifically addressed to it.

"Sniffing" is nothing more than the laptop examining or looking at the packets that it sees come by, even if they are not intended for that laptop.

So, if you have a laptop with WiFi, you probably already have all of the hardware that you need to sniff unencrypted wireless traffic.

Packet sniffing software

Wireshark is free packet-sniffing software. It's labeled as a "network protocol analyzer" because it actually interprets the data within the packets based on the various protocols being used. But in order to do so, it starts by sniffing the packets. Then, it analyzes them.

Wireshark

Wireshark isn't for the casual user or novice. As you can see by the example above, it displays a lot of technical information in ways that only a geek could love.

But with a basic understanding of how it works, even a moderately technical person can capture data. Without even knowing anything about network protocols, you can typically view the unencrypted data contained within each packet clearly.

Including usernames and passwords. Or your email.

Install Wireshark, capture packets, and browse packets for "interesting" things.

Yes, it's that simple.

Staying safe

The key to staying safe is, of course, encryption.

In fact, Firesheep was created not to enable people to run around hijacking sessions, but rather to make it glaringly obvious how easily that it could be done.

And to shame the industry into making one change: use https always.

Https during login prevents your login credentials from being sniffed, but if the service returns to the unencrypted http connection, then everything that follows is visible to anyone who cares to use software such as I've described above. If the services simply continue to use https throughout your session, then all is protected. The packets can still be sniffed, but all that's visible is unintelligible random noise.

Https, WPA, VPNs are all technologies that use encryption and can protect you from someone sitting in a corner capturing all of the open WiFi traffic.

Without one of those in place then yes, sniffing and interpreting your traffic in an open WiFi hotspot is, as we've seen, very easy to do.

This discussion actually applies to wired connections as well, except that routers and switches typically send packets on to only those wired connections where the actual destination is known to reside.

Article C4902 - August 12, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Kerry
August 16, 2011 9:54 AM

Great article Leo. I could have used this info 6 months ago. There is an open WiFi network at work that we have for customer internet access. An employee was using it to download torrents, and we were looking for a way to sniff traffic to try and identify the culprit. I will definately check out WireShark for use next time.

GREG JACKSON
August 16, 2011 11:18 AM

Good way to assure oneself that things are as they should be - secure. Just imagine a good friend sniffing your "things" and you find that something isn't working as it should-and he tells you your packets are out in the open. Yikes.

Snert
August 16, 2011 11:50 AM

Privacy. Yeah, right.
I never send ANYTHING over any unsecured Wi-fi that I wouldn't want published on the front page of our local 'gossip-rag'.
Never ever.
It's not that hard to set up encryption 'tween you and whomever you need to send critical info to and from.
I use snail mail, pretty secure, to send the encryption codes to my contacts.
Paranoid? Mayhap, but I feel safer.

Bill Kingman
August 16, 2011 5:44 PM

BTW... Google's "Gmail" email/webmail is encrypted HTTPS fulltime, not just during sign-in. I'd like to know of any other email services offering fulltime HTTPS.

M. Run
August 23, 2011 1:17 PM

I downloaded Firesheep but it is not supported by the latest version of Firefox. Is there an alternative other than running an earlier version of Firefox?

Probably, but your on your own on figuring it out. Sorry. As I said in the article, my goal isn't to detail how to do this, but rather to make people aware of how easy it really is. (Honestly, Firesheep shouldn't concern people as much as something like WireShark in the right hands.)

Leo
24-Aug-2011
Carlos R Coquet
August 24, 2011 12:56 AM

Sorry. This article would have been much better without pointing people to the "tools" to do wrong. You could have kept it to just explaining that there is software to do this and that without specifically pointing people to where to get it. The fact that other places may provide this information does not mean you also have to. That is like saying "Well, other people are looting. It's OK for me to do it also."
The article would have been finer if it had restricted itself to instructing people how to protect themselves not how to "do the same to others".

I'm not pointing to anything that those interested in sniffing wouldn't be able to find easily on their own. I felt it was important to point everyone else at the tools to show how well supported and readily available they are.

Leo
24-Aug-2011
Peter Marjoram
September 5, 2011 7:33 AM

Excellent article Leo, dont be bothered by the timid morality of others. In order to be secure on the internet we need to understand what makes it so insecure without beating around the bush in case we offend those who we couldnt say 'Booo' too

Yehia El Araby
September 9, 2011 10:26 PM

Another email services offering fulltime HTTPS is fastmail.fm

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.