Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Detecting Network Sniffers

By Steve Leytus

A packet sniffer is a program or device that eavesdrops on network traffic and gathers data from packets. Sometimes such wiretaps are carried out by the network administrator for beneficial purposes (like intrusion detection, performance analysis, etc.). On the other hand, malicious intruders may install packet sniffers in order to retrieve clear-text usernames and passwords from the local network or other vital information transmitted on the network.

Vulnerable protocols (with clear-text passwords) include: telnet, pop3, imap, ftp, smtp-auth and nntp. Sniffers work because ethernet was designed to be shared. Most networks use broadcast technology - messages for one computer can be read by another computer on that network. In practice, computers ignore messages except those that were sent directly to them (or broadcast to all hosts on the network). However, computers can be placed in promiscuous mode and made to accept messages even if they are not meant for them - this is how a Sniffer works.

People assume that computers connected to a switch are safe from sniffing - but this is not really so. Computers connected to switches are just as vulnerable to sniffers as those connected to a hub.

How a Sniffer works

A computer connected to a LAN has 2 addresses - one is the MAC address that uniquely identifies each node in a network and which is stored on the network card. The MAC address is used by the ethernet protocol when building frames to transfer data. The other is the IP address, which is used by applications. The Data Link Layer (layer 2 of the OSI model) uses an ethernet header with the MAC address of the destination machine.

The Network Layer (layer 3 of the OSI model) is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. Layer 3 attempts to look-up the MAC address of the destination machine in a table, called the ARP cache. If no MAC entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that IP address responds to the source machine with its MAC address. This MAC address then gets added to the source machines ARP Cache. This MAC address is then used by the source machine in all its communications with the destination machine.

There are two basic types of ethernet environments - shared and switched. In a shared ethernet environment all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. All the computers on the shared ethernet compare the frame's destination MAC address with their own. If the two don't match, the frame is quietly discarded. A machine running a sniffer breaks this rule and accepts all frames. Such a machine is said to have been put into promiscuous mode and can effectively listen to all the traffic on the network. Sniffing in a shared ethernet environment is passive and, hence, difficult to detect.

In a switched environment the hosts are connected to a switch instead of a hub. The switch maintains a table that keeps track of each computer's MAC address and the physical port on the switch to which that MAC address is connected. The switch is an intelligent device which sends packets only to the destination computer. As a result, the process of putting a machine into promiscuous mode to gather packets does not work. However, this does not mean that switched networks are secure and cannot be sniffed.

Though a switch is more secure than a hub, you can use the following methods to sniff on a switch:

ARP Spoofing - The ARP is stateless, that is, you can send an ARP reply even if none has not been asked for, and such a reply will be accepted. For example, one technique is to ARP Spoof the gateway of the network. The ARP cache of the targeted host will now have a wrong entry for the gateway and is said to be Poisoned. From this point on, all the traffic destined for the gateway will pass through the sniffer machine.

Another trick that can be used is to poison a host's ARP cache by setting the gateway's MAC address to FF:FF:FF:FF:FF:FF (also known as the broadcast MAC).
Menu - More
Network Security

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Networking Sections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268