Sniffers: what are they and how to protect

[Paul Wilders]

Quote:

Introduction

Have you ever thought about how your computer talks with others on a network? Would you like to listen to, or “sniff”, the conversation? Network engineers, system administrators, security professionals and, unfortunately, crackers have long used a tool that allows them to do exactly that. This nifty utility, known as a sniffer, can be found in the arsenal of every network guru, where it’s likely used everyday for a variety of tasks. This article will offer a brief overview of sniffers, including what they do, how they work, why users need to be aware of them, and what users can do to protect themselves against the illegitimate use of sniffers.

Read the full story here:

http://online.securityfocus.com/infocus/1549

[Checkout]

Surely - surely - there's a simple, tiny program that can tell you if your adaptor's in promiscuous mode or not?

[UNICRON]

http://www.securitysoftwaretech.com/antisniff/

[Checkout]

Quote:

http://www.securitysoftwaretech.com/antisniff/

Very much appreciated, Unicron - but the tag of $350 is about as attractive as a (insert your own image of something antisocial happening) in a crowded elevator.

Say, are you any good at detecting promiscuity? *Mwahahaha!

[javacool]

Brief synopsis for people:

It shouldn't matter, in many cases, if the network is sent through "routers" as the data is ONLY sent to one computer, unlike "hubs" which simply "scream" out the data (i.e. it is broadcast to everyone).

In the instance of a hub, a sniffer will work.

In most cases, many of the sniffers will NOT work on routered networks (unless, of course, they exploit some sort of not-yet-discovered vulnerability in how routers work - or use certain types of spoofing techniques).

On a side note, does anyone know of a tool to somehow discover if your network is on routers or on hubs or switches? (Given that many people do not have the physical access to the hardware, and *might* want to know such a thing.)

[UNICRON]

well.....running a packet sniffer might give you some clues......

http://www.ethereal.com

PS a trace route normally will report all the routers between you and a target IP. Pay attention to the routers on your ISPs network.

[javacool]

Quote:

well.....running a packet sniffer might give you some clues......

http://www.ethereal.com

PS a trace route normally will report all the routers between you and a target IP. Pay attention to the routers on your ISPs network.

I realize those are two good options - I was asking specficially for any programs that use some other method to determine if you are on a hubbed or routered network...(if there is any other way to determine such a thing)

[UNICRON]

No packets not intended for your machine will reach you if a router is between you and other computers. I am unsure what network you are referring to. Is it an office network, or your ISP's network that your home computer is on? I would be amazed if your ISP has all its customers on a hub, that would be rather scary.

So, it there is traffic not bound for you, then there are some computers not isolated from you by a router. Now most networks aren't a single tier system, and employ many routers and switches ect. That is what the trace may discover.

Also MS systems generally anounce their arrival on *a network via netbios (port 139) so a sweep of that port over the network may bear fruit.

if you are looking for a tool to analyze a network, there are many, but most are enterprise level tools and are expensive. There are fewer tools designed for smaller applications since in that environment said tools are of limited use.

[javacool]

Quote:

If you are looking for a tool to analyze a network, there are many, but most are enterprise level tools and are expensive. There are fewer tools designed for smaller applications since in that environment said tools are of limited use.

Do you happen to have any suggestions on enterprise level tools? That's what I was aiming my question at...sorry if I wasn't specific enough.