A packet sniffer is a wire tap program that eavesdrops on network traffic by plugging in to the computer networks. Sniffing allows someone to snoop on the interaction between computers just as with a telephone wiretap. Network wiretap programs have a special feature called protocol analysis to decode computer conversations which are in binary format. Sniffing can be done in any network connection because most of the networks use shared media. This type of sniffing is known as promiscuous mode. At present, switched technology is preferred more than the shared technology, in which sniffing can be done by tapping into the wire.
What is the purpose of a packet sniffer?
A packet sniffer helps users to watch network traffic on the network interface, which is connected to the host machine. This sniffer program can watch UDP, TCP, IP, ARP, ICMP, RARP, and also monitor port specific traffic. At present, is mostly preferred by hackers for their own purpose and passive sniffing is used to find the gateway of any unknown network. The output of all sniffed URL’s can be requested from HTTP traffic in Common Log Format. A packet sniffer provides random MAC addresses to the local network to facilitate sniffing. Packet sniffers use fault analysis systems to find network problems, performance analysis to find bottlenecks in the network, network intrusion detection system to trace hackers, and network traffic logging to make logs.
How does a sniffing wiretap work?
An Ethernet is built with a shared principle, where all machines in a local network are connected with the same wire and network traffic that can be watched by all machines. Ethernet is made with a filter to ignore traffic that doesn’t belong to it, by comparing the MAC address. The filter in the Ethernet is turned off by a wiretap program through Network Interface Card (NIC) and puts the Ethernet in promiscuous mode. Thus packet sniffer eases eavesdropping on network traffic in the same wire.
How can I defend myself against packet sniffing?
The best defense method to avoid sniffing is to encrypt the data. Here are a few techniques to avoid sniffing:
- A secure socket layer is used in web servers and web browsers to do encrypted web surfing. SSL is also used in ecommerce to encrypt a user’s credit card information.
- Email can be encrypted using PGP and S/MIME. S/MIME is a built-in program in Microsoft and Netscape.
- Secure Shell is used as a standard method for entering into the UNIX machines from the Internet.
- VPNs are used for encrypted traffic in the Internet.
- Passwords can be protected by data encryption systems.
How can I detect a packet sniffer?
Here are a few techniques that detect sniffers and can be included in security audit tools:
- The DNS Test: The detection tool in this method is in promiscuous mode. Many fake network connections are created to make poorly written sniffers to choose them and resolve nonexistent host IP addresses.
- The Ping Test: In this method, ICMP echo request is created with the IP address of the suspected machine with a wrong MAC address to track sniffers. If the suspected host replies to the request, it is in promiscuous mode. Sometime, clever attackers can filter out these requests.
- The ICMP Ping Latency Test: In this method, the target round trip time is noted down by pinging. Many fake TCP connections are created on the network segment at lightening rate to make the sniffer, process those packets when the network latency of the target machine increases. The target machine is once again pinged and RTT is compared. After several tests, a conclusion is attained whether a sniffer is running on the target machine.
- The ARP Test: In this method, valid information is sent in the form of an ARP request with a fake destination hardware address. Only a machine in the promiscuous mode can process this request, by which it can be detected.
- Finally, sniffing can be prevented by using switches instead of hubs.
- Sniffers: This site provides good information about sniffers like capabilities, promiscuous mode, detection and prevention of sniffers.
- Sniffing FAQ: The FAQ provided in this website gives valuable information about the basics of sniffing, defending and sniffing detection.
- Packet Sniffing in Switched Environment: Here basics of packet sniffing and effects of packet sniffing in a switched environment are provided with a good explanation.
- Sniffers Basics: All the required basic information on packet sniffing is provided in this website with basic commands.
- Analysis of Packet Sniffers: In this website, analysis of packet sniffers on TCPdump, Ngrep, and Snoop is clearly explained.
- Home Surveillance Cameras: Beside packet sniffing, here are some other examples of snooping methods.