Networks Ethernet conquered enormous popularity because of grow prettier capacity, to simplicity of installation and acceptable cost of net equipment.

However, technology Ethernet is not deprived of essential deficiencies. Basic of them consists of the lack of defense of the transferred information. The computers, connected to network Ethernet, can intercept the information, addressed to its neighbors. Reason to that is accepted in networks Ethernet the so-called broadcasting mechanism of the exchange of the communications

Local broadcasting

In the network of the type Ethernet the connected to it computers, as a rule, together use one and the same cable, which serves as medium for the sending of communications between them.

That desiring to transmit any communication along the common channel must be certified at first that this channel at the given instant is free. After beginning transfer, computer hears out signal carrier frequency, determining it did not occur signal distortion as a result of the appearance of collisions with other computers, which conduct the transmission of their data simultaneously with it. With the presence of collision the transfer is interrupted and computer "becomes silent" to a certain time interval in order to attempt to repeat transfer somewhat late. If the computer, connected to network Ethernet. nothing transfers itself it nevertheless continues "to listen to" all communications, transferred by the network by adjacent computers. After noting in the title of the entered portion of data its net address, computer copies this portion into its local memory. There are two basic methods of the association of computers into network Ethernet. In the first case the computers are connected with the aid of the coaxial cable. This cable similar to black snake is twisted from one computer to the next, being connected with the net adapters by T-shaped joint. This topology in the language of professionals is called network Ethernet 10Base2. However, it still it is possible to name the network, in which "all hear all". Any computer, connected to the network, is capable to intercept the data, sent by this network by another computer. In the second case each computer is connected by a cable of the type "soaring pair" with the separate port of the central switching device - by concentrator or with the switchboard. In such networks, which are called networks Ethernet, computers are divided by the groups, named the domains of collisions. The domains of collisions are determined by the ports of concentrator or switchboard, locked to the common bus. As a result of collision they appear not between all computers of network. and separately - between those of them, which enter into one and the same domain of collisions, which increases the capacity of network as a whole.

Recently in the large networks began to appear new type switchboards, which do not use broadcasting and do not lock the group of the ports between themselves. Instead of this all transferred by the network data are buffered in the memory and leave as far as possible. However, similar networks it is thus far sufficiently small - not more than 10% of the total number of networks of the type Ethernet.

Thus, the accepted in the overwhelming majority Ethernet- networks algorithm of the transmission of data requires from each computer, connected to the network, continuous "hearing" in all without the exception of net traffic. The algorithms of access proposed, with use of which the computers would be disconnected from the network to the duration of transmission of "strange" communications, so remained unrealized because of their of excessive complexity and low efficiency.

The analyzer of protocols as it exists

The net adapter of each computer in network Ethernet, as a rule is everything, about which "interpret" between themselves its neighbors on the segment of this network. But it processes and it places into its local memory only those portions (the so-called personnel) of data, which contain the unique address, appropriated to it in the network.

In addition to this the overwhelming majority of contemporary Ethernet- adapters allow functioning in the special regime, called disorderly (promiscuous), with use of which the adapter copies into the local memory of computer all without the exception transferred by the network personnel of data.

The specialized programs, which transfer net adapter into the disorderly regime and which gather entire traffic of network for the subsequent analysis, are called the analyzers of protocols.

The latter widely adapt by the administrators of networks for the realization of control of the work of these networks and determination of their overloaded sections, which adversely affect the speed of transmission of data. Unfortunately, the analyzers of protocols are used by the criminals, who with their aid can fix the interception of strange passwords and another classified information.

It is necessary to note that the analyzers of protocols present serious danger. Presence itself in the network of the analyzer of protocols indicates that in its shielding mechanisms is a breach. Establish the analyzer of protocols could outside person, who penetrated in the network from without (for example, if network it has an output in Internet). But this could be the affair of the hands of "home-grown" criminal, who has legal access to the network. In any event to the prevailing situation one should relate with entire seriousness. Specialists in the region of computer safety carry attacks on the computers with the aid of the analyzers of protocols to the so-called attacks of the second level. This means that the computer burglar already knew how to penetrate through the shielding barriers of network and now he attempts to develop its success. With the aid of the analyzer of protocols it can on attempt to intercept registration names and passwords of users, their secret financial given (for example, the number of credit cards) and confidential communications (for example, electronic mail). Having at his disposal sufficient resources, computer burglar in principle can intercept entire information, transferred by the network.

The analyzers of protocols exist for any platform. But even if it seems that for some of platform the analyzer of protocols is not thus far yet written, with the threat, which presents the attack on the computer system with the aid of the analyzer of protocols, as before it is necessary to be counted. The fact is that the analyzers of protocols subject not concrete computer, but protocols to analysis. Therefore the analyzer of protocols can go to itself nest in any node of network and from there achieve an interception of net traffic, which as a result of broadcasting transfers falls into each computer, connected to the network.

By the most frequent purposes of the attacks of the computer burglars, whom those achieve by means of the use of analyzers of protocols, appear universities. At least because of an enormous quantity of different registration names and passwords, which can be stolen in the course of this attack. The use of an analyzer of protocols in practice is not such already easy problem, as this can seem. In order to attain benefit from the analyzer of the protocols of computer burglar it must possess sufficient knowledge in the region of net technologies. Simple to establish and to neglect the analyzer of protocols to the performance it is cannot, since even in the small local network of five computers per hour traffic composes thousand and thousands of packets. And consequently, in short time output data of the analyzer of protocols will fill "hard" disk "under the string".

Therefore computer burglar usually tunes the analyzer of protocols so that he would intercept only first 200-300 bytes of each packet, transferred by the network. Usually precisely in the title of packet is placed information about the registration name and the password of user, which, as a rule, most of all interest burglar. Nevertheless, if at the disposal of burglar it is sufficient space on disk, then an increase in the volume of the traffic intercepted by it will go it only for the benefit and will allow to additionally learn much interesting.

On the servers in network Internet is lined the set of the analyzers of the protocols, which are characterized by only the set of accessible functions. Search on the demands "protocol analyzer" and "sniffer" gives references to the good ten program packets.