Network Sniffers

Read this article to learn about network sniffers and the reasons sniffers are used. How are network sniffers detected? What are two common network sniffers?


Sniffer

Sniffer (network sniffer) is a tool that can intercept, log, and sometimes parse traffic passing over a network or part of a network.

 

Common Uses

  • Analyze network problems;
  • Detect intrusion attempts;
  • Monitor network usage;
  • Spy on other users and collect sensitive information such as passwords.

 

Detection of network sniffers

Passive sniffing

Generally, it is impossible to detect passive sniffing programs.

  • Detecting promiscuous mode

It is possible to detect network interfaces in promiscuous mode by sending requests (ICMP, ARP, etc) with the destination IP address of a suspect machine and the wrong destination MAC address. Network interfaces in promiscuous mode will pass this request and a suspect machine will reply (network interfaces in non-promiscuous mode will drop this packet).

  • Detecting reverse DNS lookup requests

Some sniffing programs do automatic reverse DNS lookups on the IP addresses they see. It is possible to detect such programs by correlating network traffic and reverse DNS lookup requests.

  • Detecting network sniffers using a honeypot (monitoring connections to fake accounts)

 

Active sniffing

Many sniffing programs provide special techniques to intercept traffic on a switched network:

  • ARP spoofing;
  • Fake DHCP server;
  • ICMP redirection.

As well as the ability to sniff encrypted data:

  • Man-in-the-middle attacks.

These active sniffing techniques can be detected in various ways.

 

Cheating network sniffers

  • IP fragmentation

Some sniffing programs cannot handle IP fragmentation correctly.

  • Shortcomings in TCP reassemblers

It is possible to cheat some TCP reassemblers by sending TCP packets with low IP TTL values (this TCP packet may not reach the destination host, but will be analysed by a network sniffer). This will break the resulting TCP stream.

  • Encryption: VPN tunnels, SSH tunnels, Tor.
  • Hidden channels

 

Sniffers

  • tcpdump
  • Wireshark
  • Xplico
  • NetworkMiner
  • Cain & Abel
  • ettercap (unsupported, last version - 2005/05/29)
  • dsniff (obsolete, last stable version - 2000/12/17)
  • justniffer


Source: https://forensicswiki.xyz, https://forensicswiki.xyz/wiki/index.php?title=Sniffer
Creative Commons License This work is licensed under a Creative Commons Attribution 4.0 License.

Last modified: Thursday, April 15, 2021, 4:47 PM