Sniffing out network sniffers

Computerworld - Sniffers are tools -- sometimes referred to as network analyzers -- commonly used for monitoring network traffic. The term packet sniffing refers to the technique of copying individual packets as they traverse a network. When used by systems administrators, network sniffers can be invaluable tools for diagnosing or troubleshooting network problems. When used by malevolent individuals, however, sniffers can also represent a significant threat to your network. Unfortunately, they are sometimes hard to detect.

Years ago, sniffers were hardware devices that were physically connected to the network. More recently, advances in technology have allowed for the development of software sniffers. This brings the art of network sniffing to anyone who wants to perform this task. Are sniffers really so readily available? A quick search for network sniffers will confirm that there are numerous Web sites rife with software sniffers able to run on just about any operating system.

One important, and disturbing, aspect of packet sniffers is their ability to place their host machine's network adapter into "promiscuous mode." When network adapters are in promiscuous mode, they not receive only the data directed to the machine hosting the sniffing software, but also all other data traffic on the physically connected local network. Because of this capability, packet sniffers have the potential to be used as powerful spying tools on company networks.

	Douglas Schweitzer is an Internet security specialist with a focus on malicious code. He is the author of several books, including Internet Security Made Easy and Securing the Network from Malicious Code and the recently released Incident Response: Computer Forensics Toolkit.

Remember, sniffers are usually passive and simply collect data. For this reason, it's extremely difficult to detect sniffers, especially when running on a shared Ethernet environment. Although detecting network sniffers may be tricky, it's not impossible.

For those familiar with Unix or Linux commands, ifconfig allows the privileged administrator (a.k.a. superuser) to determine whether any interfaces have been placed in promiscuous mode. Any interface running in promiscuous mode is "listening" to all network traffic, a key indicator that a network sniffer is being used.

To check your interfaces using ifconfig, just type ifconfig -a and look for the string PROMISC.

If this string is present, your interface is in promiscuous mode, and you will need to probe further, using built-in tools such as ps utility to determine if any offending processes are present. For Windows-based systems, a handy freeware tool called PromiscDetect can be used to quickly detect any adapters running in promiscuous mode. PromiscDetect is a command-line tool that can be downloaded and works on Windows NT, 4.0, 2000 and XP-based systems.