Results 1 to 4 of 4

Thread: Sniffers

  1. #1
    Senior Member
    Join Date
    Nov 2003

    Post Sniffers

    Date: Sunday, January 23, 2003

    Verson: 1.0.0



    Sniffers are the most dreaded nightmare of system administrators. A compromised system is bad enough, but a compromised system with a sniffer installed on it, stealing company secrets and important passwords is as bad as it gets. In this manual we will discuss just how sniffers work and how to detect them and a lot more related information.

    Sniffers were originally developed by programmers around the world to be used as a tool for debugging network problems. In simple words, what they do is capture, interpret and save for analysis all the packets being sent across the network. Think of sniffers as recorders that capture or record all the packets being sent over a network. The system administrators later analyze these captured packets to find out as to what exactly is happening in the network or what kind of data is exactly being sent to and fro across the network.

    Hence allowing them to debug or troubleshoot networking problems.

    Sniffers capture the data being sent across the network in a very raw form, so in effect one is examining the packets traversing in the rawest form and using the information gathered by the analysis to detect or troubleshoot networking problems.

    There are different types of sniffers available, however the most common type of sniffer is the Ethernet-based sniffer. In the next paragraph we will discuss just how such sniffers work.

    An Ethernet-based sniffer works in cahoots with the Network Interface Card or the NIC. What this means is that such sniffers with the help of the NIC capture absolutely all the packets within the range of the listening system. Please note that the listening system is the system where the Ethernet-based sniffer has been installed.

    Normally, a Network Card throws away any packets, which are not specifically directed to the listening system. However, in case of Ethernet-based Sniffers, the Network Interface cards are set to a special state called the promiscuous mode to ensure that it receives all the packets within listening range of the listening system. What this means is that it ensures that the NIC receives even those packets, which are not directed specifically to the listening system, but infact receives all the packets going across the wire.

    After the NIC has been set to promiscuous mode, the sniffer software installed on the listening system can capture or record all the packets that travel across the local Ethernet segment. However, one thing to note is that such sniffers will not be able to capture packets traversing beyond routers, switches, segmenting devices etc.

    The point to notice is that sniffers capture all the packets being sent across the network. That means that it captures everything from the login password to the shell command being typed out.

    There are a number of sniffers available, however, the most popular is tcpdump.

    Sniffing is one of the most popular forms of attacks used by hackers. One
    special sniffer, called Esniff.c, is very small, designed to work on Sunos, and
    only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It
    was published in Phrack, one of the most widely read freely available
    underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c
    is also available on many FTP sites such as

    You may want to run Esniff.c on an authorized network to quickly see how
    effective it is in compromising local machines.

    Other sniffers that are widely available which are intended to debug network
    problems are:

    Etherfind on SunOs4.1.x
    Snoop on Solaris 2.x and SunOs 4.1 (on ftp
    Tcpdump 2.0 uses bpf for a multitude of platforms.
    Packetman, Interman, Etherman, Loadman works on the following platforms:
    SunOS, Dec-Mips, SGI, Alpha, and Solaris. It is available on[sun4c|dec-mips|sgi|alpha|solaris2]/
    Packetman was designed to capture packets, while Interman, Etherman, and
    Loadman monitor traffic of various kinds.

    DOS based sniffers

    Gobbler for IBM DOS Machines
    ethdump v1.03
    Available on ftp
    ethload v1.04
    Companion utility to a ethernet monitor. Available on ftp

    Commercial Sniffers are available at:

    Network General.

    Network General produces a number of products. The most
    important are the Expert Sniffer, which not only sniffs on the
    wire, but also runs the packet through a high-performance expert
    system, diagnosing problems for you. There is an extension onto
    this called the "Distributed Sniffer System" that allows you to
    put the console to the expert sniffer on you Unix workstation
    and to distribute the collection agents at remote sites.

    Microsoft's Net Monitor

    " My commercial site runs many protocols on one wire - NetBeui,
    IPX/SPX, TCP/IP, 802.3 protocols of various flavors, most
    notably SNA. This posed a big problem when trying to find a
    sniffer to examine the network problems we were having, since I
    found that some sniffers that understood Ethernet II parse out
    some 802.3 traffic as bad packets, and vice versa. I found that
    the best protocol parser was in Microsoft's Net Monitor product,
    also known as Bloodhound in its earlier incarnations. It is able
    to correctly identify such oddities as NetWare control packets,
    NT NetBios name service broadcasts, etc, which etherfind on a
    Sun simply registered as type 0000 packet broadcasts. It
    requires MS Windows 3.1 and runs quite fast on a HP XP60 Pentium
    box. Top level monitoring provides network statistics and
    information on conversations by mac address (or hostname, if you
    bother with an ethers file). Looking at tcpdump style details is
    as simple as clicking on a conversation. The filter setup is
    also one of the easiest to implement that I've seen, just click
    in a dialog box on the hosts you want to monitor. The number of
    bad packets it reports on my network is a tiny fraction of that
    reported by other sniffers I've used. One of these other
    sniffers in particular was reporting a large number of bad
    packets with src mac addresses of aa:aa:aa:aa:aa:aa but I don't
    see them at all using the MS product. - Anonymous

    So how do I detect sniffers? Well, sniffers have a number of tell tales that you need to watch out for. To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually.

    It is also impossible to remotely check by sending a packet or ping if a
    machine is sniffing.

    The following are some of the various signs on the target system that tell you that a sniffer is at work:

    1.) NIC is working in promiscuous Mode: There is a utility called ‘cpm’ which can detect a NIC working in promiscuous mode.

    2.) Certain Sniffers are also visible in the list of Running Processes.

    3.) Most Sniffers would create a long log file. One has to watch out for log files in hidden directories.

    The above techniques work for host based sniffer detection. However, in case of Network-based sniffer detection one has to make use of a tool called ‘AntiSniff’, which was developed by L0phtCrack.

    However if you are looking for more permanent solutions against Sniffers, then the following section may just be what you are looking for.

    The following are the more permanent Anti-Sniffers Measures:

    Stopping sniffing attacks

    Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T.

    The following vendors have available active hubs:


    a.) Switching to Switched Networks: In case of a Switched Network, only the packets meant for that particular host reach the NIC. This limits the damages caused by a sniffer.

    b.) Use of Encryption Technologies like SSH, IP Security Protocol etc

    This brings us to the end of our ‘Quick Manual’ on Sniffers. Hope you like it and till next time goodbye.


  2. #2
    This was written by Ankit Fadia, not you.

    Don't claim it if it isn't yours.

  3. #3
    AO Part Timer
    Join Date
    Feb 2003
    Ah come on Jehnny..what if w0lverine is Ankit Fadia?.....*LOL*.....okay okay maybe not
    Your heart was talking, not your mind.
    -Tiger Shark

  4. #4
    lmao, true true, I hadn't thought of that possibility. :-p

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts