1. What is network sniffer?



2. What is a network sniffer used for?



3. How does a network sniffer work?



4. How to find a sniffer on network?



5. How to defense a sniffer to your system?

What is network sniffer?

Sniffer is a registered trademark of Network Associates, Inc. used on their network analyzing products.

Today, sniffer becomes a special name of network monitor and analyzer; it also usually stands for a means of collecting data and information. ISS defines sniffer as: Sniffer is a tool which utilizes network interfaces of computer to capture data packets which destination is other computers.

What is a network sniffer used for?

Typical use of network sniffer is to analyze network traffic, so that underlying troubles in network can be found out. However, two directional usages of sniffer have coexisted since it was produced:

1. Positive usage
   
   Positive usage of sniffer is also its regular usage, which aim is to maintain network and system working normally.
   1. Capturing packets;
   2. Recording and analyzing traffic;
   3. Decrypting packets and displaying in clear text;
   4. Converting data to readable format;
   5. Showing relevant information like IP, protocol, host or server name and so on.

   Not all sniffing softwares have same functions; some sniffers can analyze hundreds of protocols whereas others can only deal with one or two. The most common protocols analyzed by sniffer are TCP/IP, IPX, DECNet.
   Ordinarily, sniffer is used as an assistant of network management for its monitoring and analyzing features can help us to troubleshoot network, detect intrusion, control traffic or supervise network contents. But such features may also be utilized by hackers as a snooping tool to break into other computers.
   
   

2. Negative usage
   
   Negative usage of sniffer is well known as its harms to network security:
   1. Catching password, which is the main reason for most illegal uses of sniffing tool;
   2. Capturing special and private information of transactions, like username, credit ID, account, and password;
   3. Recording email or instant message and resuming its content;
   4. Some Sniffers even can modify target computer's information and damage system;
   5. Disserving the security of network places or to gain higher level authority.

   With more and more negative uses of sniffer, it is ridiculous that sniffer is becoming the biggest obstacle to network security at the same time is the most important tool to defense network attacks.
   

Top

How does a network sniffer work?

To understand how a sniffer works, we need to know the main components of a sniffer and its working principle.

1. Components
   
   Sniffer is a combination of hardware and software. Different sniffers may have various configurations on account of designation and final usage, but basically, a sniffer is composed of four parts:
   1. Hardware
      Most sniffing products can work by standard adapters. Some sniffers only support Ethernet or wireless adapters whereas some others support multi adapters and allow users to customize, so if you plan to install a sniffer in your computer, you shall be sure at first what type of adapter you possess and what type of adapter the sniffer requires.
      
      
   2. Drive program
      This is the core of a sniffer. Each sniffing product has its own drive program, only after completing installation can a sniffer start to capture traffic and data from network.
      
      
   3. Buffer
      A buffer is a storage device for captured data from network. In general, there are two modes of buffers: keep capturing until the storage place full, or keep capturing and overflowing as the latest captured data keep replacing the oldest data. The size of a buffer depends on a computer's EMS memory, that is, the bigger EMS memory is, the more data can be stored in the buffer.
      
      
   4. Packets analysis
      Capture and analysis are both the most basic and important features of a sniffer. Most sniffing products can provide real-time analysis of captured packets, which is the main reason why they are good assistants of network administrators: record the errors and abnormity while they happening.
      Some advanced sniffing products are able to resume the contents of captured packets, they may also allow you to edit the content and transmit to network.

   
   

2. Working principle
   
   As a rule, all network interfaces of a same segment have the ability to visit all the data transmitted on physical medium and each network interface is supposed to have a hardware address which is different to other existing network interfaces' on network, and at the same time, every network should have at least a broadcast address. In common cases, a legal network interface should response to only these two kinds of frames:
   1. Target domain of frame has a hardware address matching to local network interface;
   2. Target domain of frame has a broadcast address.

   When local network interface card is set as promiscuous mode, this network interface card has a broadcast address and produces a hardware halt to each frame it meets in order to notify operation system to deal with every packet passing through.
   
   Each machine on a local network has its own hardware address which differs from other machines'. When a packet is sent, it will be transmitted to all available machines on local network. Owing to the shared principle of Ethernet, all computers on a local network share the same wire, so in normal situation, all machines on network can see the traffic passing through but will be unresponsive to those packets do not belong to themselves by just ignoring. However, if the network interface of a machine is in promiscuous mode, the NIC of this machine can take over all packets and frames it receives on network, namely this machine (involving its software) is a sniffer.
   

Top

How to find a network sniffer?

It is very hard to detect whether there is a sniffer on your network for its activities are quiet though powerful, sometimes no any trace may be left for you to check out. There are some ways may help you:

1. Run your own sniffer and monitor the DNS traffic of nominated host;
2. Judge from some status, for example, if the rate of lost packets on your network communication is abnormally high, or one machine on network occupies biggish bandwidth for a long time, it may imply that a sniffer has been existed on your network;
3. Check whether your system is in promiscuous mod, if so, a sniffer may be running at the same time:
4. Use anti-sniffer software to search sniffer in our system.

Please note that all these means must rely on relevant network softwares. You may try other ways to inspect sniffer, but they are not reliable usually, such as examining all the programs running on your computer or looking over suspicious files in system.

Top

How to defense a sniffer to your system?

So far still no any effective solution for good can be used to defense sniffer against its installation and attack to systems. Network administrators will have a lot to do if want to reduce the harms of sniffers. The most popular means are as follows:

1. Switch
   
   On account of sniffer working on hub, it may make sniffer disable to replace the hub in your computer with a switch which transfers packets according as destinations on network layer. To date with the cost and price decreasing greatly, switch is becoming a main sniffer defense tool both effective and economic.
   
   
2. Encryption
   
   Encrypting your data can reduce the effects of sniffer to your private information for that even a sniffer can capture all important data from you, it can not decode and read them.
   
   
   1. SSH (Secure Shell)
      SSH is a kind of protocol offering secure communication for application programs, based on client/server mode. The distributive port of SSH server is 22, and links are built on RSA method. When authorization complete, data transmitting will be encrypted with IDEA technique, which is quite powerful generally.
      F-SSH is the higher level of SSH, usually used by military communication. It offers the most powerful encryption for all purposes. That means if F-SSH is used on a site point, username and password will be not very important. At present, F-SSH is still the most advanced encryption and no one can pierce into it.
      
      
   2. SSL (Secure Sockets Layer)
      Initially presented by Netscape Corporation, SSL is to reach the purpose of transferring data secretly and confidentially on Internet and has been applied widely on web. SSL provides services from three aspects mainly:
      
      
   1. Identify user and server to make sure data will be sent to right client and server;
   2. Encrypt data to hide transmitted data;
   3. Keep data's integrity and prevent them from being modified during transferring.
      
      
   3. Other solutions
      Except above encryption techniques, there are some other tools you can try, like Kerberos, Deslogin, VPN, SMB/CIFS, and the like.
      
      

3. One-time password
   
   S/key and other one-time password techniques make it insignificant to sniffer account information. S/key bases on the principle that a remote host has gained a password which will not be transmitted on insecure network, a user will get a "challenge" message when connecting the remote host and correct "response" will not appear until the user operates the challenge message and password with a certain arithmetic method. The secure feature of S/key is that passwords do not need to be transferred on network and same "challenge/response" can appear only once.
   
   Another popular one-time technique is ID cards. Each authorized user has an ID card which can bring forth the number codes for visiting personal account. Without this ID card, nobody can decode the number.
   
   

4. Rejecting promiscuous mode
   
   Sniffer can work only in promiscuous mode, so it is crucial whether your system is in such mode or not. In the past, most network interface cards of DOS compatible computers did not support promiscuous mode but now it is the reverse. You shall enquiry system provider about the mode of your network interface.

Top