One common security issue is the danger of a rogue packet analyzer on your network. These packet analyzers (a.k.a. sniffers) capture traffic as it crosses the network, then store it so that all the data can be retrieved. This data may include the contents of financial spreadsheets, a customer database or the passwords you use to log onto network resources. Detecting these devices is very tricky because they typically do not advertise their presence; they just listen. However, there are several methods you can use to detect them, and once you've discovered them, you can shut them down.
One of the easiest things you can do is run a program called AntiSniff regularly. AntiSniff was originally written by L0pht Heavy Industries before they were acquired by @stake. Although this software has many methods of detecting sniffers on a network, most of them revolve around detecting network adapters that are operating in 'promiscuous mode'.
Promiscuous mode allows an adapter to receive traffic that is destined for some other node. Remember that Ethernet is a 'broadcast media' and its frames contain source and destination addresses (MAC). So when a frame is sent by one station, all the other nodes on the network receive it, but when they realize the destination address is different than the MAC address of their adapter, normal adapters will discard the frame, but a promiscuous NICs will continue processing. (Sniffing a network with a non-promiscuous NIC would be somewhat pointless since you wouldn't be able to see anyone else's traffic.)
So as an example, one of the tricks Antisniff uses is to PING a bogus Ethernet address. When normal adapters receive this frame, they immediately discard it, as it is not addressed to them. However, when a promiscuous NIC receives the frame, it continue processing, ignoring the bogus address. When the frame is passed up the stack to the IP layer, it responds to the PING. Thus, if Antisniff receives any replies, it alerts you to the presence of a potential sniffer.
You can find more information and download Antisniff for Windows NT at http://www.securitysoftwaretech.com/antisniff/
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in April 2002