Packet Sniffers

Packet sniffing is a technique whereby (most commonly) the Ethernet card in a computer is used to monitor all network traffic on a segment. Conceptually this is much like a wiretap on a telephone, except that dozens of conversations may be monitored simultaneously.

Some sniffer programs, such as tcpdump, capture only raw data, while others, such as sniffit, have built-in packet reconstruction algorithms and address filters. Some may have an explicit password filter, producing a compact log of username/password/host data. Some apparantly send detected passwords to an IRC channel in realtime.

Detection and prevention

The program ifstatus (some binaries available here) may be run regularly to determine if an interface is in promiscuous mode. If run from crontab, usually the owner will get email if ifstatus detects a problem. Unfortunately, ifwatch must be installed on each separate computer at risk.

There is now a program neped which will detect some Unix variants running a sniffer by using a mismatched ip/MAC address.

Packet sniffers usually have to be run as root, which implies that root must first be compromised. The sniffer typically generates a logfile, which must be hidden somewhere - such as in hidden directories, e.g. "...", or less-frequented system directories, e.g. X11 support. The name of the sniffer may be disguised, but it will show up in process logs (ps, top) as using CPU. The intruder must login to the host occasionally to retrieve the logs, and restart the sniffer to avoid building a suspicious-looking CPU usage.

Sniffers are typically run by an intruder on a Unix machine. It's possible for a Windows machine to run a sniffer, too, by someone with physical access to the PC. The Juggernaut network cracker allegedly can reside on a bootable floppy disk which an intruder could run on an unattended PC, and there are plenty of Ethernet monitoring tools available for Windows. The W95 trojan/admin tool Back Orifice has a sniffer plugin which may be run across the network. (WinTop from the kerneltoys package may be useful to monitor system activity for unauthorized programs.)

In theory, a program propagated as a virus could act as a packet sniffer and open a tcp/ip socket allowing an intruder to retrieve data logs. This is conceptually possible with a BackOrifice plugin.

Avoidance

Traffic may be made resistant to sniffing by being encrypted, for instance by ssh. Ethernet bridges may be used to split sensitive routes from the general network.

X-terminal users may wish to use LAT to connect to an Alpha, then ssh to connect to the required host. LAT transport is not monitored by common sniffers. Another possiblity is to use a less-common TCP port, e.g. 57, for telnet since password filters typically monitor only port 23. You would have to configure inetd.conf on the host machine to enable this.

Up to Security Page

A.Daviel