November 24th, 2003, 08:45 PM
Date: Sunday, January 23, 2003
Sniffers are the most dreaded nightmare of system administrators. A compromised system is bad enough, but a compromised system with a sniffer installed on it, stealing company secrets and important passwords is as bad as it gets. In this manual we will discuss just how sniffers work and how to detect them and a lot more related information.
Sniffers were originally developed by programmers around the world to be used as a tool for debugging network problems. In simple words, what they do is capture, interpret and save for analysis all the packets being sent across the network. Think of sniffers as recorders that capture or record all the packets being sent over a network. The system administrators later analyze these captured packets to find out as to what exactly is happening in the network or what kind of data is exactly being sent to and fro across the network.
Hence allowing them to debug or troubleshoot networking problems.
Sniffers capture the data being sent across the network in a very raw form, so in effect one is examining the packets traversing in the rawest form and using the information gathered by the analysis to detect or troubleshoot networking problems.
There are different types of sniffers available, however the most common type of sniffer is the Ethernet-based sniffer. In the next paragraph we will discuss just how such sniffers work.
An Ethernet-based sniffer works in cahoots with the Network Interface Card or the NIC. What this means is that such sniffers with the help of the NIC capture absolutely all the packets within the range of the listening system. Please note that the listening system is the system where the Ethernet-based sniffer has been installed.
Normally, a Network Card throws away any packets, which are not specifically directed to the listening system. However, in case of Ethernet-based Sniffers, the Network Interface cards are set to a special state called the promiscuous mode to ensure that it receives all the packets within listening range of the listening system. What this means is that it ensures that the NIC receives even those packets, which are not directed specifically to the listening system, but infact receives all the packets going across the wire.
After the NIC has been set to promiscuous mode, the sniffer software installed on the listening system can capture or record all the packets that travel across the local Ethernet segment. However, one thing to note is that such sniffers will not be able to capture packets traversing beyond routers, switches, segmenting devices etc.
The point to notice is that sniffers capture all the packets being sent across the network. That means that it captures everything from the login password to the shell command being typed out.
There are a number of sniffers available, however, the most popular is tcpdump.
Sniffing is one of the most popular forms of attacks used by hackers. One
special sniffer, called Esniff.c, is very small, designed to work on Sunos, and
only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It
was published in Phrack, one of the most widely read freely available
underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c
is also available on many FTP sites such as coombs.anu.edu.au:/pub/net/log.
You may want to run Esniff.c on an authorized network to quickly see how
effective it is in compromising local machines.
Other sniffers that are widely available which are intended to debug network
Etherfind on SunOs4.1.x
Snoop on Solaris 2.x and SunOs 4.1 (on ftp playground.sun.com)
Tcpdump 2.0 uses bpf for a multitude of platforms.
Packetman, Interman, Etherman, Loadman works on the following platforms:
SunOS, Dec-Mips, SGI, Alpha, and Solaris. It is available on
Packetman was designed to capture packets, while Interman, Etherman, and
Loadman monitor traffic of various kinds.
DOS based sniffers
Gobbler for IBM DOS Machines
Available on ftp
Companion utility to a ethernet monitor. Available on ftp
Commercial Sniffers are available at:
Network General produces a number of products. The most
important are the Expert Sniffer, which not only sniffs on the
wire, but also runs the packet through a high-performance expert
system, diagnosing problems for you. There is an extension onto
this called the "Distributed Sniffer System" that allows you to
put the console to the expert sniffer on you Unix workstation
and to distribute the collection agents at remote sites.
Microsoft's Net Monitor
" My commercial site runs many protocols on one wire - NetBeui,
IPX/SPX, TCP/IP, 802.3 protocols of various flavors, most
notably SNA. This posed a big problem when trying to find a
sniffer to examine the network problems we were having, since I
found that some sniffers that understood Ethernet II parse out
some 802.3 traffic as bad packets, and vice versa. I found that
the best protocol parser was in Microsoft's Net Monitor product,
also known as Bloodhound in its earlier incarnations. It is able
to correctly identify such oddities as NetWare control packets,
NT NetBios name service broadcasts, etc, which etherfind on a
Sun simply registered as type 0000 packet broadcasts. It
requires MS Windows 3.1 and runs quite fast on a HP XP60 Pentium
box. Top level monitoring provides network statistics and
information on conversations by mac address (or hostname, if you
bother with an ethers file). Looking at tcpdump style details is
as simple as clicking on a conversation. The filter setup is
also one of the easiest to implement that I've seen, just click
in a dialog box on the hosts you want to monitor. The number of
bad packets it reports on my network is a tiny fraction of that
reported by other sniffers I've used. One of these other
sniffers in particular was reporting a large number of bad
packets with src mac addresses of aa:aa:aa:aa:aa:aa but I don't
see them at all using the MS product. - Anonymous
So how do I detect sniffers? Well, sniffers have a number of tell tales that you need to watch out for. To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually.
It is also impossible to remotely check by sending a packet or ping if a
machine is sniffing.
The following are some of the various signs on the target system that tell you that a sniffer is at work:
1.) NIC is working in promiscuous Mode: There is a utility called ‘cpm’ which can detect a NIC working in promiscuous mode.
2.) Certain Sniffers are also visible in the list of Running Processes.
3.) Most Sniffers would create a long log file. One has to watch out for log files in hidden directories.
The above techniques work for host based sniffer detection. However, in case of Network-based sniffer detection one has to make use of a tool called ‘AntiSniff’, which was developed by L0phtCrack.
However if you are looking for more permanent solutions against Sniffers, then the following section may just be what you are looking for.
The following are the more permanent Anti-Sniffers Measures:
Stopping sniffing attacks
Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T.
The following vendors have available active hubs:
a.) Switching to Switched Networks: In case of a Switched Network, only the packets meant for that particular host reach the NIC. This limits the damages caused by a sniffer.
b.) Use of Encryption Technologies like SSH, IP Security Protocol etc
This brings us to the end of our ‘Quick Manual’ on Sniffers. Hope you like it and till next time goodbye.