Sniffer Explained | St. Clair College

Prior to a student group conducting an on-site Traffic Analysis and data capture, approval must first be granted by the sponsor. This document is provided to sponsors (or prospective sponsors), in advance to assist student groups in gaining that important level of support and approval.

We would like to take this opportunity to thank you for your direct support of our College programs, in specific, MIT 602 Technical Projects - Networking.

Opening up your facility and allowing a group of 3rd year students access to your time, employees, and above all, your network, is greatly appreciated. It is this level of support that has made this program, and the course as a whole, a great success over the years. It is only with exposure to real life environments and situations that our students can gain such practical knowledge and experience, and for that I personally am very grateful.

Our course is now entering the crucial Analysis Phase, where the students are required to demonstrate and employ their recently acquired technical skills in using a Protocol Analyzer and report-generating tool.

To do this effectively, we provide our students with a preconfigured Laptop system running “Wireshark.” Additionally, we provide the students with a 1GB switch, or a certified network TAP, enabling them to connect to a specific, pre-approved segment of your network without disruption to the end user. Obviously, connection and disconnection to your network is best done outside the normal hours of operation, requiring the unit be left for a day to collect information for later analysis.

As established networks of today employ switches that distribute traffic to each port based upon the destination MAC address, the resulting traffic captured by our students would be limited to only broadcast and multicast packets. To address this, the best scenario would be for the students to access a preconfigured SPAN port or Roving Analysis Port, where all traffic within the switch is mirrored to this specific analysis port. The alternative would be to attach the sniffer to an uplink/backbone port, thus allowing all the traffic destined for that specific switch to be captured.

Most of our sponsors in the past have been very supportive of these activities, while some have expressed reservation and concern with the thought of sensitive corporate data/information being captured by our students. To that end, Wireshark has been configured to capture only the first 128 Bytes of a packet, thereby only capturing packet information, without any meaningful data. You can be assured that we consider the confidentiality, protection, and overall security of your data of paramount importance to the overall success of our program. After all, if we did not satisfy our sponsor concerns this program would not exist.

Once the students have completed their traffic capture, the obtained information is then removed from the Laptop by myself or a fellow Faculty member and securely stored prior to its analysis. The students as a group, under the direction of Faculty, will then generate a series of reports and findings to be used in their next scheduled presentation. Such reports will be used to identify any network abnormalities if present, but more importantly confirm the data flow and volume of traffic traversing the network. Students are required to report on such things as:

  • Frame Size Distribution
  • Top 10 Hosts By IP
  • % Utilization (Can be a Device or a Link)
  • % or # of Broadcasts and or Multicasts
  • Top 10 Protocols or Applications  

Such reports are minor and unobtrusive but offer the students a great deal of valuable practical experience.

We have asked each student group to confirm and discuss with their sponsor the possibility of running the Sniffer unit on their network for one day. I hope you will not find this too much of an inconvenience, and greatly appreciate your time and consideration.

If you have any questions or concerns, please feel free to contact our Faculty representative directly.