In Search of a Sniffer

A sniffer is a program/device that eavesdrops on network traffic and grabs information traveling over the network. Sniffers are basically data interception programs. They work because the Ethernet was built around a principle of sharing.

Most networks use what is known as broadcast technology, meaning that every message transmitted by one computer on a network can be read by any other computer on that network. In practice, all the other computers, except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages, even if they are not meant for them, by means of a sniffer.

Suppose the machine Venus wants to talk to the machine Cupid. Venus has the IP address 144.16.103.3, whereas Cupid has the IP address 144.16.103.2. When Venus sends a packet on the network, it includes the destination media access control (MAC) address and the source MAC address. All the computers on the network compare the frame's destination MAC address with their own MAC addresses. When the two don't match, the frame is discarded. The machine running the sniffer breaks this rule and does not discard the frame. Such a machine is said to be in promiscuous mode and can effectively listen to all the network traffic.

A sniffer is usually passive, it only collects data. Hence, it becomes extremely difficult to detect sniffers. When installed on a computer, a sniffer will generate some small amount of traffic, though, and is therefore detectable. Here is an overview of the detection methods:

Ping Method: The trick used here is to send a ping request with the IP address of the suspect machine but not its MAC address. Ideally, no machine should see this packet, as each Ethernet adaptor will reject it since it does not match its own MAC address. If the suspect machine is running a sniffer, it will respond since it does not reject packets with a different destination MAC address. This is an old method and no longer reliable.

Address Resolution Protocol (ARP) Method: A machine caches ARPs, so what we do is send a non-broadcast ARP. A machine in promiscuous mode will cache your ARP address. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request. Voilà!

On Local Host: Often, after your machine has been compromised, hackers will leave sniffers on it in order to compromise other hosts. On a local machine, run ifconfig. On a clean machine, the output will be:

        eth0      Link encap:Ethernet  HWaddr 52:54:05:F3:95:01  
                  inet addr:203.199.66.243  Bcast:203.199.  ...
                  UP BROADCAST RUNNING MULTICAST  MTU:1500  ...
        But on a machine running a sniffer the output will be like this: 
        eth0      Link encap:Ethernet  HWaddr 52:54:05:F3:95:01  
                  inet addr:203.199.66.243  Bcast:203.199.  ...
                  UP BROADCAST RUNNING PROMISC MULTICAST    ...

(Output slightly modified to fit screen.)

Latency Method: This method is based on the assumption that most sniffers do some parsing. Simply put, in this method, a huge amount of data is sent on the network, and the suspect machine is pinged before and during the data flooding. If the machine is in promiscuous mode, it will parse the data, increasing the load on it. It will therefore take extra time to respond to the ping packet. This difference in response times can be used as an indicator of whether or not a machine is in promiscuous mode. A point worth noting is the packets may be delayed because of the load on the wire, resulting in false positives.

The best way to secure yourself against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk.

Switch to SSH. SSH is fast becoming the de facto standard method of connecting to a UNIX/Linux Machine. For more information on SSH, check out www.ssh.fi/. You might also want to check out the open-source implementation, OpenSSH, at www.openssh.org/.