Privacy What is a network sniffer?

Network sniffer, packet sniffer, protocol analyzer, and other such names are often given to network analysis tools that are used for debugging and security purposes. A network sniffer can also be used for malicious purposes.

Ish Sookun

Ish Sookun

7 min read

I was on my way back home today with my wife, Shelly, when she asked me if I could explain to her more about this «swindler» device that has become the talk of the town.

I replied to her that it is not «swindler» but network sniffer.

In this blog post I try to explain what is a network sniffer device or software? But before we understand that there a few things we should become familiar with.

I think most of the Internet users today know that every device connected to the Internet is identified by a string of numbers called the IP address. A phone number is the identifier of a physical telephone. Phone numbers allow calls to be made among fixed telephones and mobile phones. Similarly, devices connected to the Internet are able to find each other and initiate communication protocols using the IP address of each device.

Lesson no. 1 — Internet Protocol (IP) addresses

Your computer, mobile phone and Smart TV in your house, each one is assigned a private IP address by your router (which is usually given to you by your Internet Service Provider, e.g Mauritius Telecom or Emtel).

An example of a private IP address is 192.168.100.10. All devices connected to the WiFi of your home router will have IP addresses in that range (192.168.100.11, 192.168.100.12, etc). These addresses are assigned to your home devices by the ISP router and they allow your devices to communicate with each other. The IP addresses are not reachable from the Internet. Therefore, if I need to communicate with your smartphone at your place, which has an IP address of let's say, 192.168.100.10, then I won't be able to do so from the comfort of my home, because that address is not reachable from the Internet.

For communication to happen on the Internet, public IP addresses are required. Your ISP provides you a router which is also a modem. The modem connects to your ISP network and a public IP address is assigned to it which is unique on the Internet. This IP address allows you to communicate on the Internet.

Diagram depicting private and public IP addresses
Diagram created using Figma, icons sourced from flaticon.com

When you open Netflix on your Smart TV, the request is sent to your router first and from there it is the router that sends the request on the Internet, to the Netflix server. Your router knows which of your devices made the request and therefore when a response is received from Netflix, it forwards that information to your Smart TV.

The range of IP addresses 197.224.0.0 – 197.225.255.255 is allocated to Mauritius Telecom by AFRINIC (the Regional Internet Registry for Africa & the Indian Ocean region). Many such IP address ranges are allocated to Mauritius Telecom and other Internet Service Providers in Mauritius. There are five Regional Internet Registries in the world that allocate the use of the IP addresses to organisations such as ISPs, universities, cloud companies, etc.

Lesson no. 2 — Network Packets

Okay, now we know how the Smart TV sends a request to Netflix on the Internet and it receives a response. Let's see what are the requests and responses made of.

When someone needs to send a picture to somebody over the Internet, let's say using WhatsApp, that picture isn't sent as single item over the network. It is broken down into many pieces before it is sent over. The pieces travel from one router to another, across the world, until they reach the intended destination (which is another device, e.g a smartphone). At the destination device, all the pieces are reassembled to make up the picture like it was on the sender's device.

These small pieces are called packets. One may rightly ask, how many packets is a single JPEG file broken into before sending over the network?

The number of packets may vary depending on how network devices are configured. Network devices such as routers are configured to allow a maximum size for a single packet. This is referred to as the Maximum Transmission Unit (MTU) and it's usually 1500 bytes. Therefore, we could say that a 1 MB JPEG file would be broken into about 665 pieces of ~1500 bytes each before it is sent to someone on the Internet.

It is that single piece of 1500 bytes data that is called a packet.

A packet itself is composed of two parts.

  • a header
  • a payload (also referred as data)
Diagram detailing a network packet
Image source: Khan Academy

The header part contains information about the source, destination, protocol and packet number. This information is important for the routers to know where to send the packet and upon reaching its destination how the packets needs to be reassembled. The header part is not encrypted because this information should be readable by all networking devices that will carry the packet until its final destination.

Payload

The payload is the actual data that needs to be sent. In the example of the 1 MB JPEG file, the payload of the packet will contain part of the image data. If an encrypted communication is established on the Internet, then this payload will contain part of that encrypted data.

If the payload is not encrypted, then the packets can be captured by a network analysis tool (a sniffer) and the complete file reconstructed, e.g a 1 MB JPEG file can be reconstructed and viewed in any image application.

If the payload is encrypted, then the packets can be still be captured by the tool and the reconstructed file will be an encrypted JPEG file.

Network Sniffer

The former CEO of Mauritius Telecom, S. Singh, stated in a radio programme on Friday 1st July 2022 at 17h00, that the Prime Minister of Mauritius, asked him to allow a third-party to install a network sniffer in the premises of the ISP.

The statement by S. Singh shook many people and it sends chills down the spine thinking that the biggest Internet Service Provider could be breaching the privacy of hundreds of thousands of Internet users in Mauritius.

But, wait a minute? In his statement, S. Singh did not reveal the name of the third-party and the actual device or software that intended to sniff the Internet traffic. Unless those information are revealed, one can only speculate on sinister possibilities.

That being said, now let's look at what does a Network Sniffer do.

A network sniffer is a tool that can capture network packets and analyse them. Some network sniffers can even reconstruct whole files if the payload is not encrypted or do signature-based Deep Packet Inspection (DPI) on the payload to identify its nature if the payload is encrypted.

There are network sniffers that are also capable of man-in-the-middle (MITM) attacks. Therefore, they can decrypt the network traffic and give a complete view of everything that a person does on the Internet.

How are network packets captured?

A network sniffer can be installed on any device to capture the traffic of that particular device. For example, if someone wants to analyse his/her own incoming & outgoing traffic on a laptop, a sniffer can be instructed to capture the traffic from a network interface, which can be an ethernet (cable) port or a WiFi.

Some routers also allow packet capturing from the router's ports and the file produced during the capture can be analysed using other tools.

Enterprise-grade firewalls are often equipped with advanced network packet capturing and Deep Packet Inspection (DPI) capabilities.

Clearing confusions

In 2021, the Information and Communication Technologies Authority (ICTA) proposed amendments to the ICT Act, which would have allowed the authority to apply an MITM approach and control the Internet traffic in Mauritius.

It had also become public knowledge, that ICTA intended to use Netsweeper which had the MITM capabilities to decrypt HTTPS traffic.

Many organisations, including international privacy-focussed organisations, browser makers, and the citizens of Mauritius strongly opposed the proposal and condemned the authority to even think of such an approach.

At that time, I made a proof-of-concept using a web proxy called Fiddler Everywhere, to demonstrate how HTTPS traffic can be decrypted on the fly.

It's been a week since S. Singh's statement on radio and we still do not have any information regarding which software maker and what type of «sniffer» was the subject of discussion between Singh and the Prime Minister.

Therefore, what we can retain here is that if Mauritius Telecom would have installed a sniffer without doing any MITM attack, then it would have to rely on signature-based Deep Packet Inspection. That approach would not have given MT employees access to your email messages, listen to your WhatsApp calls or read your Facebook messages, etc. It would have allowed the tool to reconstruct your browsing history partly.

Can an ISP monitor the Internet traffic of all its subscribers?

An ISP could decide whether to monitor and capture the traffic of all its subscribers, some of them or a just a few.

Is it not costly to monitor such amount of Internet traffic?

Deep Packet Inspection on a high traffic network is costly, indeed. However, using a network tap, the ISP can copy the traffic of a specific network segment or specific IP addresses, for analysis, without impeding the actual traffic. There are several approaches that can reduce the cost of operation.

Can a third-party have access to the network traffic?

If a third-party operates the network device or the «sniffer» then yes, it can have access.

Erratum

I initially described the packet as being composed of three parts – header, payload (data) and footer. After S. Moonesamy pointed out on the Mauritius Internet Users mailing list to check whether the footer part is incorrect, I read Section 3.1 of the RFC 791 – Internet Protocol to cross-verify. Section 1.3 of the same RFC describes an example where a TCP module would call on the internet module to take a TCP segment (including the TCP header and user data) as the data portion of an internet datagram. These information provide clarity on the packet composition as having a header and the data.

There are articles online that refer to the packet as a frame and then mention the frame as having a "trailer" part. The trailer is mentioned in RFC 1661 – Point-to-Point Protocol (PPP).

RFCs are documents that contain technical specifications for the Internet. They are produced by the Internet Engineering Task Force. Software developers, hardware manufacturers, and network operators around the world voluntarily implement and adopt the technical specifications described by RFCs.