What is network sniffer?
The work "Sniffer" is a registered trademark of Network Associates, Inc. used on their network analyzing products. Colasoft has spent over 10 years refining it's Capsa Packet Analyzer and sniffer winning awards as an industry leading packet capture and analysis application.
Today, sniffer has become a special name of network monitor and analyzers; it also refers to the collecting of packet level data and information. ISS defines sniffer as: Sniffer is a tool which utilizes network interfaces of computer to capture data packets which destination is other computers.
What is a network sniffer used for?
Typical use of network sniffer is to analyze network traffic and bandwidth utilization, so that underlying troubles in the network can be identified. There are, however, two directional usages of sniffer which have coexisted since it was first produced:
Positive usage of a sniffer is also its regular usage, which has as its objective the desire to maintain the network and keep it working normally.
- Capturing packets;
- Recording and analyzing traffic;
- Decrypting packets and displaying in clear text;
- Converting data to readable format;
- Showing relevant information like IP, protocol, host or server name and so on.
Not all packet sniffing softwares product have the same functions; some sniffers can analyze hundreds of protocols whereas others can only deal with one or two. The most common protocols analyzed by sniffer are TCP/IP, IPX, DECNet-Ordinarily, a sniffer is used as assistant tool of the network engineer for monitoring and analyzing a network, detecting intrusion, controlling traffic or supervising network activity. IT should be noted that such features may also be utilized by hackers as a snooping tool to break into other computers.
Negative usage of a sniffer is well known as its harms to network security:
- Catching password, which is the main reason for most illegal uses of sniffing tool;
- Capturing special and private information of transactions, like username, credit ID, account, and password;
- Recording email or instant message and resuming its content;
- Some Sniffers can even modify target the computer's information and damage the system;
- Interupting the security of a network or to gain higher level authority.
With more and more hackers using of packet sniffers, it has become one of the most important tools in the defense of cyber-attacks and cyber-crime.
How does a network sniffer work?
To understand how a sniffer works, we need to know the main components of a sniffer and its working principles.
Sniffer is a combination of hardware and software. Different sniffers may have various configurations on account of designation and final usage, but basically, a sniffer is composed of four parts:
Most sniffing products can work with standard adapters. Some sniffers only support Ethernet or wireless adapters whereas others support multi-adapters and allow customization. If you plan to install a sniffer on your computer, you shall be sure what type of adapter you have and what type of adapter the sniffer requires.
This is a core component of a sniffer. Each sniffing product has its own drive program, only after completing installation can a sniffer start to capture traffic and data from network.
A buffer is a storage device for captured data from network. In general, there are two modes of buffers: keep capturing until the storage place full, or keep capturing and overflowing as the latest captured data keep replacing the oldest data. The size of a buffer depends on a computer's EMS memory. This means that the bigger the EMS memory is, the more data that can be stored in the buffer.
Capture and analysis are both the most basic and the most important features of a sniffer. Most sniffing products can provide real-time analysis of captured packets, which is the main reason why they are important tools of network engineers. They record the errors and abnormity while they happening.
Some advanced sniffing products (like Colasoft's Capsa Enterprise sniffer) are able to replay the contents of captured packets. These advanced sniffers may even allow you to edit the contents and retransmit the packets to the network.
As a rule, all network interfaces on a segment have the ability to view all of the data transmitted on physical medium and each network interface is supposed to have a hardware address which is different to other existing network interfaces' on network. Every network should have at least a broadcast address. In common cases, a legal network interface should respond to only these two kinds of frames:
- Target domain of frame has a hardware address matching to local network interface;
- Target domain of frame has a broadcast address.
When a local network interface card is set in promiscuous mode, this network interface card has a broadcast address and produces a hardware halt to each frame it meets in order to notify the system to deal with every packet passing through.
Each machine on a local network has its own hardware address which differs from other machines'. When a packet is sent, it will be transmitted to all available machines on local network. Owing to the shared principle of Ethernet, all computers on a local network share the same wire, so in normal situation, all machines on network can see the traffic passing through but will be unresponsive to those packets which do not belong to them by just ignoring them. However, if the network interface of a machine is in promiscuous mode, the NIC of this machine can take over all packets and frames it receives on network, namely this machine (involving its software) is a sniffer.
How to find a network sniffer?
It is very hard to detect whether there is a sniffer on your network for its activities are quiet though powerful. Sometimes no any trace may be left for you to determine the presence of a sniffer. There are some ways may help you:
- Run your own sniffer and monitor the DNS traffic of the nominated host;
- Judge from some status, for example, if the rate of lost packets on your network communication is abnormally high, or one machine on network occupies excessive bandwidth for an extended amount of time, it may imply that a sniffer is present on your network;
- Check whether your system is in promiscuous mode, if so, a sniffer may be running at the same time:
- Use anti-sniffer software to search for a sniffer on our system.
How to protect yourself from a sniffer on your system?
There isn't an effective solution which can be used to defend against the sniffer's installation and attack on your system. Network administrators will have a lot to do if they want to reduce the harm from a sniffers. The most popular means are as follows:
To date with the cost and price decreasing, a managed switch has become a main sniffer defense tool both effective and economic.
Encrypting your data can reduce the effects of sniffer to access your private information. A sniffer can capture all data but it can-not decode and read encrypted data.
SSH (Secure Shell)
SSH is a kind of protocol offering secure communication for application programs, based on client/server mode. The distributive port of SSH server is 22, and links are built on RSA method. When authorization complete, data transmitting will be encrypted with IDEA technique, which is quite powerful generally.
F-SSH is the higher level of SSH, usually used by military communication. It offers the most powerful encryption for all purposes. That means if F-SSH is used on a site point, username and password will be not very important. At present, F-SSH is still the most advanced encryption and no one can pierce into it.
SSL (Secure Sockets Layer)
Initially presented by Netscape Corporation, SSL's ability to transmit encrypted data on Internet and has been applied widely. SSL provides services from three aspects:
- Identify user and server to make sure data will be sent to right client and server;
- Encrypt data to hide transmitted data;
- Keep data's integrity and prevent them from being modified during transferring.
Except above encryption techniques, there are some other tools you can try, like Kerberos, Deslogin, VPN, SMB/CIFS, and the like.
S/key and other one-time password techniques make it insignificant to sniffer account information. S/key bases on the principle that a remote host has gained a password which will not be transmitted on insecure network, a user will get a "challenge" message when connecting the remote host and correct "response" will not appear until the user operates the challenge message and password with a certain arithmetic method. The secure feature of S/key is that passwords do not need to be transferred on network and same "challenge/response" can appear only once.
Another popular one-time technique is ID cards. Each authorized user has an ID card which can bring forth the number codes for visiting personal data. Without this ID card, nobody can decode the number.
Rejecting promiscuous mode
A Sniffer can work only in promiscuous mode, so it is crucial whether your system is in such mode or not. In the past, most network interface cards of DOS compatible computers did not support promiscuous mode but now it is the reverse. You shall enquiry system provider about the mode of your network interface.