Sniffing is the passive capture of network traffic. Unlike active attacks, it generates no network noise, making it incredibly difficult to detect. Once an attacker gains a local foothold, sniffing reveals credentials, topology, and sensitive data.
By default, a Network Interface Card (NIC) drops frames not addressed to its MAC or the broadcast address. Enabling 'promiscuous mode' instructs the NIC to pass all frames on the wire to the CPU for analysis.
💡 Pro-tip: On switched networks, promiscuous mode only captures local broadcast traffic and traffic destined for the host. Attackers must combine it with ARP poisoning or port mirroring to see everything.
This command alters the NIC driver state. You can verify it by checking ip link show eth0 for the PROMISC flag.
The ultimate defense against sniffing is ubiquitous encryption. If traffic is encrypted via TLS, SSH, or IPSec, capturing the packets yields only ciphertext, rendering the sniffing effort useless.
⚠️ Never transmit credentials over HTTP, Telnet, or FTP. These protocols send data in cleartext, making them trivial targets for any passive observer on the path.
| Protocol | Encryption | Sniffing Risk |
|---|---|---|
| HTTP | No | Critical (Cleartext) |
| SSH | Yes | Low (Ciphertext) |
| FTP | No | Critical (Cleartext) |
Verify exercises to earn ★ 160 XP and unlock next lab level.