Problem solve Get help with specific problems with your technologies, process and projects.

Rogue sniffers

How to combat rogue sniffers.

One common security issue is the danger of a rogue packet analyzer on your network. These packet analyzers (a.k.a. sniffers) capture traffic as it crosses the network, then store it so that all the data can be retrieved. This data may include the contents of financial spreadsheets, a customer database or the passwords you use to log onto network resources. Detecting these devices is very tricky because they typically do not advertise their presence; they just listen. However, there are several methods you can use to detect them, and once you've discovered them, you can shut them down.

One of the easiest things you can do is run a program called AntiSniff regularly. AntiSniff was originally written by L0pht Heavy Industries before they were acquired by @stake. Although this software has many methods of detecting sniffers on a network, most of them revolve around detecting network adapters that are operating in 'promiscuous mode'.

Promiscuous mode allows an adapter to receive traffic that is destined for some other node. Remember that Ethernet is a 'broadcast media' and its frames contain source and destination addresses (MAC). So when a frame is sent by one station, all the other nodes on the network receive it, but when they realize the destination address is different than the MAC address of their adapter, normal adapters will discard the frame, but a promiscuous NICs will continue processing. (Sniffing a network with a non-promiscuous NIC would be somewhat pointless since you wouldn't be able to see anyone else's traffic.)

So as an example, one of the tricks Antisniff uses is to PING a bogus Ethernet address. When normal adapters receive this frame, they immediately discard it, as it is not addressed to them. However, when a promiscuous NIC receives the frame, it continue processing, ignoring the bogus address. When the frame is passed up the stack to the IP layer, it responds to the PING. Thus, if Antisniff receives any replies, it alerts you to the presence of a potential sniffer.

You can find more information and download Antisniff for Windows NT at

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.

This was last published in April 2002

Dig Deeper on Network intrusion detection and prevention and malware removal

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.