Rogue sniffers

One common security issue is the danger of a rogue packet analyzer on your network. These packet analyzers (a.k.a. sniffers) capture traffic as it crosses the network, then store it so that all the data can be retrieved. This data may include the contents of financial spreadsheets, a customer database or the passwords you use to log onto network resources. Detecting these devices is very tricky because they typically do not advertise their presence; they just listen. However, there are several methods you can use to detect them, and once you've discovered them, you can shut them down.

One of the easiest things you can do is run a program called AntiSniff regularly. AntiSniff was originally written by L0pht Heavy Industries before they were acquired by @stake. Although this software has many methods of detecting sniffers on a network, most of them revolve around detecting network adapters that are operating in 'promiscuous mode'.

Promiscuous mode allows an adapter to receive traffic that is destined for some other node. Remember that Ethernet is a 'broadcast media' and its frames contain source and destination addresses (MAC). So when a frame is sent by one station, all the other nodes on the network receive it, but when they realize the destination address is different than the MAC address of their adapter, normal adapters will discard the frame, but a promiscuous NICs will continue processing. (Sniffing a network with a non-promiscuous NIC would be somewhat pointless since you wouldn't be able to see anyone else's traffic.)

So as an example, one of the tricks Antisniff uses is to PING a bogus Ethernet address. When normal adapters receive this frame, they immediately discard it, as it is not addressed to them. However, when a promiscuous NIC receives the frame, it continue processing, ignoring the bogus address. When the frame is passed up the stack to the IP layer, it responds to the PING. Thus, if Antisniff receives any replies, it alerts you to the presence of a potential sniffer.

You can find more information and download Antisniff for Windows NT at http://www.securitysoftwaretech.com/antisniff/

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.

This was first published in April 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.