As discussed in previous lesson, Sniffers are dangerous to network security because they can catch the network traffic and read unencrypted data from network which makes them a favorite weapon of network intruders. Sniffers do not transmit any information, and sniffers collect network data packets passivly. Hence it is difficult to detect Sniffers in network. The following methods can be used to detect sniffers.
Detecting Promiscuous Mode
A sniffer can run in one of two modes: Non-promiscuous mode and Promiscuous mode. Sniffers operate in non-promiscuous mode can collect data from the network that is addressed to or sent from the computer that is running the sniffer. Promiscuous mode allows a network adapter to collect all the network traffic data that passsing over the network, regardless of the destination address. Promiscuous mode enables Sniffers to capture all network traffic. To detect Promiscuous mode in a UNIX type operating system, use the command "ifconfig -a" (without quotes). Search for the PROMISC flag in the output.
[root@Fed13 /]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0C:29:10:8A:DC
inet6 addr: fe80::20c:29ff:fe10:8adc/64 Scope:Link
UP BROADCAST RUNNING
PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)
Interrupt:18 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:104 errors:0 dropped:0
TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:13880 (13.5 KiB) TX bytes:13880 (13.5
Other command which can be used to detect is promiscuous mode in UNIX type operating systems "ip link".
[root@Fed13 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:10:8a:dc brd ff:ff:ff:ff:ff:ff
To detect promiscuous mode in Windows Operating Systems, the free tool Promqry can be used. Promqry is available for download from Microsoft web site.
Address Resolution Protocol (ARP) Method
Address Resolution Protocol (ARP) is used to resolve IP addresses to MAC addresses. A computer caches resolved addresses for future use. Here we send a non-broadcast ARP. A machine in promiscuous mode will cache your ARP address. Next we send a broadcast ping packet with our IP, but a different MAC address. Only the machine which has our correct MAC address from the previous sniffed ARP frame will be able to respond to broadcast ping request.
In Latency Method, huge amount of data is sent on the network and the suspect machine is pinged before and after flooding. If sniffer is running on the machine it will be in promiscuous mode and it may need to parse the data thus increasing the load on it. Because of the load, it will take extra time to respond to the ping request. This latency may indicate a sniffer running in the target machine.
Monitoring the Hosts
In a busy network, capturing and analyzing huge network data may cause the CPU work load to increase. Large disk space is also required to save the captured network data. Increased CPU work load and disk usage without any reason may indicate a sniffer running in that machine.