I find sniffing entertaining. I'm a netwroking student and this is the kinda thing I'm supposed to be into though. I sniff around my school's network once or twice a week just to see what's floating around.
The only thing that makes it somewhat boring is the fact that more and more networks are switched networks now as opposed to networks using hubs. This means that the amount of worthwhile traffic you'll see is greatly reduced. In an ideally switched network all you'll see is your own traffic and the broadcasts from your subnet. While you can learn a lot from reading through endless amounts of ARP and DHCP, it does get boring real quick.
One thing I see at my school (due to a poor configuration I would imagine) is a few protocols called HSRP, STP, and CDP. In order those are:
Hot Standby Router Protocol
Spanning Tree Protocol
Cisco Discovery Protocol
So now you're asking what those are right? Ok then:
HSRP: A protocol that provides high network availability and provides nearly instantanieus hardware fail-over without administrator intervention. It generates a Hot Stanby router group, including a lead router that lends its services to any packet being transfered to the Hot Standby address. If the lead router fails, it will be replaced by any other routers-the standby routers-that monitor it.
STP: The bridge protocol (IEEE 802.1D) that enables a learning bridge to dynamically avoid loops in a network topology by creating a spanning tree using the spanning-tree algorithm. Spanning-tree frames called Bridge Protocol Data Units (BPDU's) are sent and received by all switches in the network at regular intervals. The switches participating in the spanning tree don't forward the frames; instead, they're processed to determine the spanning-tree topology itself.
CDP: Cisco's proprietory protocol that's used to tell a neighbour Cisco device about the type of hardware, software version, and active interfaces that the Cisco device is using. It uses a SNAP frame between devices and is not routable.
So what does all that mumbo-jumbo mean? Well, basically it means that the devices that make up the network backend are telling me everything there is to know about themselves. USing these 3 protocols I can:
- Layout the exact physical AND logical topology of the network
- Know the IOS version running on any given switch or router
- Know the exact capabilites of any network device
- Know any services running on any network device
And much more. About the only thing these devices aren't telling me is passwords and logins (which you can find with sniffing too :x ).
But like I said, my school network is switched so this is really the more boring stuff you can find out by sniffing. For someone like me though who has aspirations of designing and maintaining networks this sort of thing is insightful and interesting.
It never hurts to just load a good packet-sniffer up and let it go for a while. If you don't find anything interesting or are just plain bored with it then stop. You never know what you're gonna find though unless you look.
As far as packet sniffers go, there are two that I reccomend:
Ethereal - for windows
http://www.ethereal.com/ Snort - for *nix
http://www.snort.org/ If you would like a more comprehensive list of available sniffers you can try
http://neworder.box.sk/codebox.links.php?&key=sniff Any other questions feel free to shout em out.
sum