A sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are “Data Interception” technology.
In packet-switched networks, the data to be transmitted is broken down into several packets. These packets are reassembled once all the data packets reach their intended destination.
When a packet sniffer is installed in the network, the sniffer intercepts the network traffic and captures the raw data packets. Subsequently, the captured data packet is analyzed by the packet sniffing software and presented to the network manager/technician in a user-friendly format. By user-friendly, we mean the Network Administrator should be able to make sense of it.
How to detect sniffing
- Promiscuous Mode:
- You will need to check which machines are running in the promiscuous mode.
- Promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety.
- Run IDS and notice if the MAC address of certain machines has changed (Example: router’s MAC address)
- IDS can alert the administrator about suspicious activities.
- Network Tools:
- Run network tools such as Capsa Network Analyzer to monitor the network for strange packets.
- It enables you to collect, consolidate, centralize and analyze traffic data across different network resources and technologies.
nmap -sV --script=sniffer-detect
- HP Performance Insight
Sniffer Detection Technique: Ping Method
- Send a ping request to the suspect machine with its IP address and incorrect MAC address. The Ethernet adapter reject it, as the MAC address does not match, whereas the suspect machine running the sniffer responds to it as it does not reject packets with a different MAC address.
Sniffer Detection Technique: ARP Method
- Only a machine in promiscuous mode (machine C) caches the ARP information (IP and MAC address mapping).
- A machine in promiscuous mode replies to the ping message as it has correct information about the host sending ping request in its cache; rest of the machines will send ARP probe to identify the source of ping request.
Packets that are supposed to be filtered by the NIC are now transmitted to the system kernel when the NIC is configured in promiscuous mode. We develop a new method to identify promiscuous nodes using this mechanism: if we configure an ARP packet without the broadcast address as the destination address, send it to every node on the network, and find that some nodes react to it, then those nodes are in promiscuous mode.
Sniffer Detection Technique: DNS Method
- Most of the sniffers perform reverse DNS lookup to identify the machine from the IP address.
- A machine generating reverse DNS lookup traffic will be most likely running a sniffer.
- PromqryUI is a security tool from Microsoft that can be used to detect network interfaces that are running in promiscuous mode.
- Nmap’s NSE script allows you to check if a target on a local Ethernet has its network card in promiscuous mode.
- Command to detect NIC in promiscuous mode:
nmap --script=sniffer-detect [Target IP Address/Range of IP addresses]