CAPEC Details
Name Sniffing Network Traffic
Likelyhood of attack Typical severity
Medium Medium
Summary In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.
Prerequisites The target must be communicating on a network protocol visible by a network sniffing application. The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication.
Solutions Obfuscate network traffic through encryption to prevent its readability by network sniffers. Employ appropriate levels of segmentation to your network in accordance with best practices.
Related Weaknesses
CWE ID Description
CWE-311 Missing Encryption of Sensitive Data
Related CAPECS
CAPEC ID Description
CAPEC-157 In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Man-In-The-Middle attacks (CAPEC-94), but are entirely passive. MITM attacks are predominantly active and often alter the content of the communications themselves.
Taxonomy: ATTACK
Entry ID Entry Name
1040 Network Sniffing