• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

At which layer do packet sniffing programs work?

T

TJN23

Golden Member
By the nature of the question, I'd say at the IP layer, level 3...

however since packet sniffers can look at port specific TCP data, such as http, ftp, and telnet data, would this mean they operate at the upper 4 and 5 levels? This is assuming the 5 level TCP/IP model.

Also, if something worked at levels 3, 4, and 5, does that automatically mean they work at 1 and 2? A packet sniffing program is a wiretap device that reads the bits on a wire so i'd imagine it'd be working at those 2 lower levels as well...

thanks in advance,

Tim
 
Actually most "packet sniffers" work on layer 2. Most display MAC addresses AND IP addresses and the contents of the frames, not the packets.
 
That's exactly it. Sniffers capture data at layer2 by putting your network card in promiscious mode and watching data that flows across the wire. Based on the information in the frames that they receive, they can give you a lot more details on higher layer protocols, but they were actually captured at layer2.

- G

 
so while operating on Layer 2 by displaying MAC addresses within the frame, how does it have the potential to read upper layer data, such as tcp port stuff, i.e. port 21, 80, 25, for email, web, ftp?

sorry i'm just confused on the definitive answer, if it's just layer 2 then so be it....

thanks

Tim
 
posted before i saw Garion, thanks so:

sniffers capture the frames at layer 2....these frames contain information about upper layers?
 
that's sort of a loaded question because you can make a case for layer2 or layer7.

Even though there is no sniffer layer7 protocol, it is an application. Once can even say they work at layer one because they'll report physical layer errors as well.
 
however the idea is that sniffers capture frames, right? so in essence, they "operate" at layer 2 and process the frame to look at upper layer data

layer 7, the application, is just doing work on the data that was already captured at layer 2 (i.e. the frame)

as for layer 1, i'm sure you can make a case out of that 🙂
 
You have to realize when you mean "operate" it doesn't just work at one layer. It wouldn't make sense to sniff without displaying or interpreting the results.

Figuring out where it works isn't really useful. Figuring out where it doesn't work is more important.

Sniffers tend to use logic to figure out problems between layer 1-7 but it won't magically work at any one of the layer without having sufficient information from the other layers.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top