I secretly monitored their communication traffic...

I am a monitoring software. My master spent several nights to develop me. My mission is to monitor all traffic in the network and report to him.

That day, the master sent an email to Xiaobai, the computer that was to be monitored. There was a link in the email. When Xiaobai clicked on the link, I was secretly downloaded to this computer and started running silently in the background.

Great, there is no security software on this computer, I can do whatever I want!

I loaded a driver and started hijacking the receiving process of network packets in the kernel. Now, I can capture the network communication of this computer!

After a while, I found that there was no valuable information on this newbie's computer, and he was only used for playing games and watching videos.

Promiscuous Mode

That day, the master gave me an instruction in the cloud: turn on the promiscuous mode of the network card and monitor all traffic in the LAN!

I didn't quite understand, so I asked the network card: "Brother, what is promiscuous mode?"

The network card told me: "I'm telling you, under normal circumstances, if I receive a data packet and find that the recipient is not me, I will discard it. After turning on the promiscuous mode, as long as I receive a data packet, regardless of whether the recipient is me or not, I will submit it to you."

Wow, this network card even has a Cantonese accent. Is it made in Huaqiangbei?

“Why did I receive a data packet whose addressee was not you?” I was a little curious.

"You don't know this, right? In our network, all computers are connected to a hub. This guy is stupid. No matter who sends a message to whom, it will be broadcast. So I can actually see everyone's communication. You just need to turn on the promiscuous mode."

"Then don't just stand there, open it quickly."

I excitedly turned on the promiscuous mode of the network card, hoping to monitor other people's communications.

Sure enough, a large number of data packets came in all at once, catching me off guard.

I started to work seriously, parsing all network communications, extracting the ones that were of interest, and reporting to my master, who was very satisfied with my work.

switch

This went on for a long time, and suddenly one day, I found that there was no other people's communication in the network communication, only the traffic of Xiaobai's computer, so I looked for the network card again.

"Brother, did anyone turn off your promiscuous mode?"

"No, look, it's open now!"

"That's strange. Why can't I see other people's communication traffic?"

"I'm a hen too. Communication conflicts used to happen frequently, but recently they have suddenly disappeared," said the network card.

"Communication conflict? What does that mean?" I asked.

"A hub broadcasts all communications, so we all share the same line. We have to wait while others transmit data. Sometimes we find out halfway through that our data conflicts with others, so we have to wait and resend. We call this CSMA/CD, Carrier Sense Multiple Access/Collision Detection. It's a weird name."

So that's how it was, but now all of this has disappeared. I felt that something was wrong, so I quickly reported the news to the master. After learning about it, the master upgraded me and let me sneak into this guy to see what was going on.

On a quiet night, I sneaked to the other end of the network cable along the network card and found a big black guy.

Wow, there are so many network ports on the back of this big guy, connected to so many network cables, each of which leads to a computer. On the nameplate on the back panel, I also saw the name of this big guy: switch.

I decided to hide aside and secretly observe how it works.

I saw this guy called a switch holding a table with the MAC address of each network card and the corresponding network port filled in. After receiving the data packet, it took out the destination MAC address in the data packet, found the corresponding connected port, and only forwarded it to this port. There was no broadcast at all!

Now I finally understand why I can't see other people's communications even if I turn on promiscuous mode. It's all because of this thing called a switch. It's so abominable!

But I was a little puzzled. Where did he get this table? How did he know which network card corresponds to which port? Does it require manual configuration? But if I unplug the network cable and plug it in another port, wouldn’t that cause an error? I was puzzled and decided to observe it further.

There were few people surfing the Internet late at night and the network traffic was also low, so we waited until dawn.

The next day, a new data packet arrived, and the big guy didn't find the recipient address in its table. Now things get interesting. Let's see what you will do.

Unexpectedly, this guy actually learned from the hub and sent the new data packet to all ports. Later, he found that only one port had a response packet, and then added this port and the recipient address to the table! Wow, this guy is quite smart and can learn and summarize the mapping relationship by himself.

Because I was worried about being discovered during the day, I didn't dare to stay for long and retreated. Then, I reported everything I saw to the master. Not long after, the master upgraded me again.

ARP spoofing

This time, I sent ARP messages to other computers in the LAN one by one, and filled in the IP address of the gateway (that is, the big switch) in the source IP address position in the message. After everyone received my message, they changed the MAC address of the gateway to the network card address of the computer I was in.

What a trick! Everyone was kept in the dark by me. The data packets they originally sent to the gateway to access the Internet were now all sent to me. I forwarded them to the real gateway, and I could once again monitor everyone's network communications!

Happy days always pass quickly. Not long after, I found that the traffic has decreased again. I don't know who leaked the news. They no longer send data packets to me, but to the real gateway. Moreover, no matter how I send ARP packets to deceive, they no longer trust me.

Finally one day, this computer novice downloaded something and installed a bundled 361 antivirus software. I felt that my days were coming to an end.

I quickly contacted the master to report my difficult situation, but found that I couldn't get through... Could it be that the master was also killed?