3/14/2024

COMPUTER SURVEILLANCE

Computer surveillance is the act of surveilling

people's computer activity without their
knowledge, by accessing the computer itself.

Host A Host B
Router A Router B

1
 3/14/2024

Packet sniffing
• Packet sniffing is the monitoring of data traffic
into and out of a computer or network.
• In some networks, data transmissions are sent
only to the machine they are intended for, while
in others, transmissions are broadcast to all
machines connected, but processed only by the
target computer.
• In the latter cases, it is possible to packet-sniff a
computer using only another computer on the
same network.

2
 3/14/2024

IP sniffing
• IP sniffing is a technique used to intercept,
monitor and log traffic over a TCP/IP network.
• The traffic is captured in packets, which are
small chunks of data that are sent between
devices on a network.
• IP sniffing can be used to track the activities of
users on a network or to steal information from
communications.
• Using this technique, cybercriminals 'sniff' for
unencrypted information such as credentials,
passwords, or confidential data over an
unsecured network.

3
 3/14/2024

Network Forensics

The network packets collected may

contain different service categories such
as
Email
Instant Messaging
File Transfer (FTP and P2P)
Telnet
Web Browsing (HTTP) etc.

4
 3/14/2024

Network Forensics
To capture, recording, reconstruction and analysis
of network events in order to discover the source
of security attacks or other problem incidents.

Network Packet Forensics Technology

Packets Captured ( Sniffer from Wire, Wireless,
HTTPS/SSL).
Packets Organized.
Playback (Reconstruction)
Saved to database.

5
 3/14/2024

Network Forensics

6
 3/14/2024

Network Forensics
Network forensics generally has two uses.
The first, relating to security, involves monitoring
a network for anomalous traffic and identifying
intrusions.
An attacker might be able to erase all log files on a
compromised host; network-based evidence might
therefore be the only evidence available for forensic
analysis.
The second form of Network forensics relates to
law enforcement. In this case analysis of captured
network traffic can include tasks
such as reassembling transferred files, searching for
keywords and parsing human communication such as
emails or chat sessions.

7
 3/14/2024

Packet sniffing
• A surveillance program installed on a
computer can search the contents of the hard
drive for suspicious data, can monitor computer
use, collect passwords, and even report back to
its operator through the Internet connection

8
 3/14/2024

Packet sniffing
• Physical (hardware) surveillance devices
("bugs") are also possible. A relatively simple
bug is a keystroke logger implanted in the
keyboard, perhaps broadcasting the key stroke
sequence for pickup elsewhere

9
3/14/2024

10
 3/14/2024

ANALYSIS OF CAPTURED PACKET

(hexa representaion of data packet)

00 08 5c 94 17 cb 00 08 5c 94 17 cd 08 00 45 00 ..\.....\.....E.
00 3b 11 0e 00 00 80 11 bd 24 c0 a8 01 05 ca 38 .;.......$.....8
e0 99 04 3c 00 35 00 27 63 ec 00 48 01 00 00 01 ...<.5.'c..H....
00 00 00 00 00 00 04 6d 61 69 6c 04 6c 69 76 65 .......mail.live
03 63 6f 6d 00 00 01 00 01 .com.....

Wireshark, WinDump,TCPdump

11
 3/14/2024

BYTES DETAIL
 MAC ADDRESS-BYTES FROM I-14
• I-6 BYTES –SOURCE MAC
• 7-12 BYTES-DESTINATION MAC
• 13-14 BYTES- VARIES FROM PROTOCOL TO PROTOCOL

 IP HEADER BYTES FROM 15-34

• FIRST BYTE
• 1-4 BITS -IP VERSION
• 5-8 BITS-HEADER LENGTH
• 16-BYTE-TYPE OF SERVICE
• 17-18 BYTES IP DATAGRAM LENGTH
• 19-20 BYTES ID NUMBER
• 21-22 BYTES –FRAGMENT OFFSET
• 23 BYTES- TTL
• 24 BYTE- TYPE OF PROTOCOL
• 25-26 BYTE -CHECKSUM
• REMAINNIG BYTES ARE PROTOCOL SPECIFIC

12
 3/14/2024

BYTES DETAIL
 MAC ADDRESS PART
• 00 08 5c 94 17 cb-destination address
• 00 08 5c 94 17 cd-source address
• 08 00-ip type(PROTOCOL USED)

 IP HEADER PART
• 45 00 00 3b 11 0e 00 00 80 11 bd 24 c0 a8 01 05 ca 38 e0 99
• 45-version&header length
• 00-differential service(TOS)
• 00 3b-total length
• 11 0e-identification
• 00 00-fragment &flags
• 80-ttl
• 11-protocol
• bd 24-header checksum
• c0 a8 01 05-source ip
• ca 38 e0 99-destinatin-ip

 PROTOCOL SPECIFIC-(EX-DNS)
• 04 3c 00 35 00 27 63 ec-udp
• 00 48 01 00 00 0100 00 00 00 00 00 04 6d 61 69 6c 04 6c 69
76 65 03 63 6f 6d 00 00 01 00 01-dns query

13
 3/14/2024

IP sniffing
• Active sniffing: In active sniffing, the attacker
injects address resolution protocols (ARPs) into
a network to redirect traffic to the attacker's
machine
• Passive sniffing: Passive sniffing involves
monitoring traffic that is already passing through
a network device such as a switch or router. The
attacker does not need to send any special
packets or exploit any vulnerabilities

14
 3/14/2024

IP sniffing
• Filtered: In this configuration, the sniffer tool
captures packets that contain explicitly
mentioned data elements

• Unfiltered: Here, the sniffer tool will capture all

possible packets and put them in the local hard
drive for evaluation

15
 3/14/2024

IP sniffing
• Filtered: In this configuration, the sniffer tool
captures packets that contain explicitly
mentioned data elements

• Unfiltered: Here, the sniffer tool will capture all

possible packets and put them in the local hard
drive for evaluation

16
 3/14/2024

IP sniffing
Benefits
• Analyze traffic by type and filter specific IP
packets
• Network administrators in detecting the root
cause of a network issue
• Allows monitoring of inbound & outbound
network traffic
• Improve network security
• Allows the IT team to perform traffic analysis and
bandwidth management

17
 3/14/2024

IP sniffing
Avoid IP sniffing attacks
• Use VPN to create an encrypted tunnel for
communication
• Avoid unreliable public Wi-Fi
• Avoid clicking suspicious links

18