(BQ) Part 2 book "CEH - TM - Official certified ethical hacker review guide" has contents: Sniffers, denial of service and session hijacking; hacking web servers, web application vulnerabilities, and web based password cracking techniques; SQL injection and buffer overflows; wireless hacking; physical security,.and other contents. | Page 107 Friday, January 12, 2007 6:58 PM Chapter 6 Sniffers CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER: Understand the Protocols Susceptible to Sniffing Understand Active and Passive Sniffing Understand ARP Poisoning Understand Ethereal Capture and Display Filters Understand MAC Flooding Understand DNS Spoofing Techniques Describe Sniffing Countermeasures Page 108 Friday, January 12, 2007 6:58 PM A sniffer can be a packet-capturing or frame-capturing tool. It intercepts traffic on the network and displays it in either a command-line or GUI format for a hacker to view. Some sophisticated sniffers interpret the packets and can reassemble the packet stream into the original data, such as an e-mail or a document. Sniffers are used to capture traffic sent between two systems. Depending on how the sniffer is used and the security measures in place, a hacker can use a sniffer to discover usernames, passwords, and other confidential information transmitted on the network. Several hacking attacks and various hacking tools require the use of a sniffer to obtain important information sent from the target system. This chapter will describe how sniffers work and identify the most common sniffer hacking tools. The term packet refers to the data at layer 3 or the network layer of the OSI model whereas frame refers to data at layer 2 or the data link layer. Frames contain MAC addresses, and packets contain IP addresses. Understand the Protocols Susceptible to Sniffing Sniffer software works by capturing packets not destined for the system’s MAC address but rather for a target’s destination MAC address. This is known as promiscuous mode. Normally, a system on the network reads and responds only to traffic sent directly to its MAC address. In promiscuous mode, the system reads all traffic and sends it to the sniffer for processing. Promiscuous mode is enabled on a network card with the installation of special driver software. Many of the hacking tools