At which layer do packet sniffing programs work?

Toggle sidebar Toggle sidebar
T

TJN23

Golden Member
May 4, 2002
1,670
0
0
By the nature of the question, I'd say at the IP layer, level 3...

however since packet sniffers can look at port specific TCP data, such as http, ftp, and telnet data, would this mean they operate at the upper 4 and 5 levels? This is assuming the 5 level TCP/IP model.

Also, if something worked at levels 3, 4, and 5, does that automatically mean they work at 1 and 2? A packet sniffing program is a wiretap device that reads the bits on a wire so i'd imagine it'd be working at those 2 lower levels as well...

thanks in advance,

Tim
 
W

WarmAndSCSI

Banned
Jun 4, 2001
1,683
0
0
Actually most "packet sniffers" work on layer 2. Most display MAC addresses AND IP addresses and the contents of the frames, not the packets.
 
Garion

Garion

Platinum Member
Apr 23, 2001
2,330
6
81
That's exactly it. Sniffers capture data at layer2 by putting your network card in promiscious mode and watching data that flows across the wire. Based on the information in the frames that they receive, they can give you a lot more details on higher layer protocols, but they were actually captured at layer2.

- G

 
T

TJN23

Golden Member
May 4, 2002
1,670
0
0
so while operating on Layer 2 by displaying MAC addresses within the frame, how does it have the potential to read upper layer data, such as tcp port stuff, i.e. port 21, 80, 25, for email, web, ftp?

sorry i'm just confused on the definitive answer, if it's just layer 2 then so be it....

thanks

Tim
 
T

TJN23

Golden Member
May 4, 2002
1,670
0
0
posted before i saw Garion, thanks so:

sniffers capture the frames at layer 2....these frames contain information about upper layers?
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
that's sort of a loaded question because you can make a case for layer2 or layer7.

Even though there is no sniffer layer7 protocol, it is an application. Once can even say they work at layer one because they'll report physical layer errors as well.
 
T

TJN23

Golden Member
May 4, 2002
1,670
0
0
however the idea is that sniffers capture frames, right? so in essence, they "operate" at layer 2 and process the frame to look at upper layer data

layer 7, the application, is just doing work on the data that was already captured at layer 2 (i.e. the frame)

as for layer 1, i'm sure you can make a case out of that :)
 
S

Santa

Golden Member
Oct 11, 1999
1,168
0
0
You have to realize when you mean "operate" it doesn't just work at one layer. It wouldn't make sense to sniff without displaying or interpreting the results.

Figuring out where it works isn't really useful. Figuring out where it doesn't work is more important.

Sniffers tend to use logic to figure out problems between layer 1-7 but it won't magically work at any one of the layer without having sufficient information from the other layers.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom