Linux4biz::Sniffer Article

A sniffer is any device, whether software or hardware, that grabs information traveling along a network. The purpose of the sniffer is to place the network interface (Ethernet adapter) into prosmiscuous mode and by doing so, to capture all network traffic. Promiscuous mode refers to that mode where all workstations on a network listen to all traffic, not simply their own.

The output of linsniffer is excellent for stealing passwords and logging general activity, but not suitable for more detailed analysis.

2) linux_sniffer:
linux_sniffer provides a slightly more detailed view. It can be found at http://www.ryanspc.com/sniffers/linux_sniffer.c
linux_sniffer is easy to use and gives you a output with more details.

3) hunt:
hunt is one of my favourite. It is suitable when you need less raw output and more easy-to-read information.It can be downloaded from:
http://www.ryanspc.com/sniffers/hunt-1.3.tgz
Hunt also supports the following utilities:

It allows you to specify particular connections you are interested in, rather than having to watch and log everything.
It detects already-established connections.
It offers spoffing tools.
It offers active session hijacking.

4) sniffit
sniffit is for folks who need just a little more. It allows you wide latitude to monitor multiple hosts, on different ports, for different packets. It's really a nice tool.
It can be downloaded from: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

They can capture passwords.
They can capture confidential or proprietary information.
They can be used to breach security of neighboring networks, or gain leveraged access.

Defending against sniffer attack:
As we have seen, sniffer attacks are difficult to detect and thwart because sniffers are passive programs. They don't generate an evidence trail (logs), and when used properly, they don't use a lot of disk and memory resources.
To hunt down a sniffer, you must ascertain whether any network interfaces on your network are in prosmiscuous mode. For this , try the following tools:

ifconfig: You can quickly detect an interface in promiscuous mode on your local host by using ifconfig, a tool for configuring network interface parameters. To run ifconfig, issue the ifconfig command at a prompt.

ifconfig and ifstatus are fine for detecting sbiffers on your local host. But on a large network you need a tool to detect sniffers across a subnet. One of them is NEPED.

Choosing "good" passwords and changing them frequently .
Always use encryption. Encryted session generally reduce your risk. Even if an attacked sniffs data, it will be useless to him. For example, always use ssh as a alternate for Telnet.

Conclusion:
Sniffers represents a significant security risk, mainly because they are not easily detected. Lastly the best defences against sniffing are secure topology and strong encryption.

This article is Copyright (c) 2000 by Kapil Sharma. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Written by: Kapil Sharma

Website: http://www.linux4biz.net
[Kapil Sharma is a Linux and Internet security consultant. He has been working on various Linux/Unix systems and Internet Security for more than 4 years. He is maintaining a web site http://www.linux4biz.net for providing free as well as commercial support for web, Linux and Unix solutions.]