Learn how to use the popular network sniffer in this excerpt from "Applied Network Security."
Network sniffing is a collection of packet data that is transmitted throughout the network. Network sniffing is also known as packet analysis. There are different types of network sniffers. Two of the most common are Ethernet sniffers and wireless sniffers. A network sniffer is a piece of software or hardware that can capture and log network traffic.
Nmap is a popular network sniffing tool used by many cyber security professionals. Before using this tool, you must learn how to install it. You also need to be able to check the version and locate the user manual. It is recommended that you use Kali Linux as the operating system when using Nmap. Kali Linux comes with many pre-installed tools such as Nmap and Wireshark. If you are using a version of Linux without pre-installed tools, you must perform a fresh install. The best and most efficient way to install Nmap is to clone the repository location directly from GitHub.
First, open Firefox in Kali Linux and navigate to a search engine such as Google. In the search bar, type Nmap github. The link you want will be https://github.com/nmap/nmap. You can also type the link into the URL address bar instead of using a search engine. On the GitHub page, click on the green button that says Clone or download. This button is located on the right side, towards the top of the page. The following screenshot displays where the Clone or download button is located:
(Click on image for larger view)
When you click on the green Clone or download button, a text box will appear with a URL, namely https://github.com/nmap/nmap.git. This is the location of the repository, which also includes the branches and tags. The cloning install method automates the file compilation process, saving time, and making sure everything is in place. Open a terminal in Kali Linux and type, git clone https://github.com/nmap/nmap.git to begin the cloning process. After this command is entered, the tool will be downloaded and installed automatically.
After the install is complete, you will need to confirm that you are using the latest version of Nmap. To check which version of Nmap you have type, nmap -V. If you want to see a list of Nmap commands, type -h to bring up the help menu. According to www.nmap.org, the primary documentation for using Nmap is the Nmap reference guide. It is also the basis for the Nmap manual page. The manual page can be found using the URL https://nmap.org/book/man.html. If you want to install Nmap from the source code using Linux, you will need to download it from https://nmap.org/download.html. The files will be compressed and offered in two formats. The first format will be .tar.bz2 and the second format will be .tgz. The compressed files are also known as tarballs. A tarball or TAR file is used to combine lots of files into a single archive. This is similar to the .zip files found in Windows.
After the Nmap tarball is downloaded, you will need to decompress it by typing the command bzip -cd nmap-<VERSION>.tar.bz2 | tar xvf -. Next, you will need to change into the recently created directory by typing cd nmap-<VERSION>. Now you need to configure the build system by typing ./configure while still in the nmap directory. Next, you will build Nmap by typing make. If the make command doesn't work type gmake. The next step is making sure you have the correct user privileges for a system-wide install by typing su root. The final step is installing the support files for Nmap by typing make install. Both install methods can be applied to other tools that you will need to install in the future.
Why network sniffing is important
Network sniffers, also known as network analyzers, are great tools to use for network security. Threat hunters will use these tools to uncover potential attacks and weak points in the network. Network sniffing allows for detailed network analysis. When protecting a network, it is important to have as many details about the packet traffic as possible. By actively scanning the network, a threat hunter can stay vigilant and respond quickly to attacks.
Scan a single IP
This command scans a single IP on the network. If a threat hunter notices strange activity coming from an unfamiliar host, a single IP scan may be useful. Being able to quickly distinguish false positives from false negatives is critical for efficient network security. For example, a network attack might go unnoticed because too many false positives are triggering alerts, creating alert noise.
The alert noise can potentially hide an attack from detection by creating a false negative. The noise also creates confusion and misdirection for the security analyst trying to determine if the attack is real or not. Using an intrusion detection system with an updated attack signature database will help distinguish false positives from false negatives more efficiently. Also, it is important to remember that having too many false negatives can also cause problems. If the intrusion detection system misses an attack, no alerts are activated. This gives the security analyst the illusion that the network is safe and secure, which may not be the case. This is a major issue because an attack could be going on and nobody would be aware of it until it was too late:
Scan a host
This is the command to scan a single host. The information gained from this command can allow a hacker to quickly evaluate a high-value target on the network. Sometimes a hacker may be going after a specific host containing financial data records: