What is a Sniffer?
A sniffer is a special application (computer program) that captures and analyzes input and/or output packets passing over a specific communications network between devices.
This software can “sniff” the traffic flowing through a network and intercept data from it. It is designed to analyze data packets that are not intended for it, which can be very useful in some cases, but also very dangerous in some others.
There are paid and free versions of this software available for different platforms.
Some of the simpler solutions are very easy to implement by using a command line and displaying the intercepted data on the screen, while more complex projects have a GUI displaying traffic statistics in graphs, tracking multiple sessions, and offering various configuration options.
Network sniffers can also be used as “engines” for other software such as IDS (Intrusion Detection Systems), where they usually locate packets that match predefined rules used to identify traffic as malicious or suspicious.
A sniffer can also be used by network administrators for certain traffic measurements to analyze and report on the data source, recipient, the process server, the type of data packets transmitted, etc.
The data captured by a sniffer can be more valuable than it seems: when used correctly, it allows the user to obtain very detailed information. Thus, even though it is not necessarily a matter of concern, its use can ultimately depend on the way the data packets are accessed.
A sniffer application reconfigures the network interface card (NIC) of a device (usually a PC or laptop) so that it stops ignoring and listens to all traffic addressed to other computers.
It means that the NIC is placed into a state known as “promiscuous mode” where it does not drop packets addressed to other MAC addresses, but stores and reads them. After that, the device can see all the data transmitted through its network segment.
Then the software constantly reads all the information that enters the device via the NIC. The data travels through the network as packets or bursts of bits formatted using specific protocols, so a sniffer can filter the encapsulation layers and decode the information on the source and destination computers, target port number, payload, and other details exchanged between two devices.
A sniffer does not try to infect the system with other threats, it cannot cause any problems with performance or stability. However, it can easily lead to privacy-related issues.
This type of application does not consume a lot of system resources or have a GUI, making it very difficult to detect. As sniffers are not viruses, they cannot spread themselves and must be “controlled” by someone.
A sniffer can be installed manually by the system administrator or any user having sufficient privileges to install the software. In either case, this spyware is installed without the affected user’s knowledge or consent.
This technique is known as a “passive attack”, since it does not interfere with the network operation.
Why Use a Sniffer?
Sniffers have a bad reputation for being widely used by hackers to access data with malicious intent. However, cybercriminals are not the only ones who can benefit from this technology. There are people (mostly network administrators) working for companies or acting in a personal capacity who use sniffers in a completely legal and ethical way as part of their work.
One of the tasks a sniffer can perform is to monitor everything that happens within a company’s LAN, giving the administrators maximum possible control, so nothing can escape them. It also allows them to audit the entire network, check the inbound and outbound traffic, and monitor its behavior based on this.
Another way a sniffer can be used ethically is for white-hat hacking, where an ethical hacker identifies vulnerabilities in a company’s network in order to prevent them from being exploited. It helps avoid any type of espionage, attacks by cybercriminals and enhance the security.
Identification of the packets circulating through the network under their administration allows the information security team to be aware of everything that happens and know how to act in each case.
On the other hand, sniffers are also rather frequently used for malicious purposes to intercept information in a network, for example, to steal poorly encrypted passwords.
To address this, security systems are constantly being developed and enhanced, encryption methods are becoming increasingly advanced and difficult to crack, making it harder for malicious third parties to interfere.
Sniffers are rather rare applications that have the same basic features. The following examples illustrate the typical features of the most popular sniffers:
- Wireshark (formerly Ethereal): Used to analyze and troubleshoot networks during software and protocol development and, in some cases, as a teaching tool for education purposes. It offers a GUI, filters, and integrated packet editing tools, supports a wide range of various protocols, and is suitable for almost any network and operating system.
- Ettercap: An interceptor/logger for switched LANs. It supports active and passive addresses of various protocols, even encrypted ones, such as SSH and HTTPS. It also enables data injection and filtering in an established connection.
- BUTTSniffer: A program used exclusively for malicious purposes. It supports many network protocols, filters the captured data and saves it to a file. It functions as a standalone application or as a plugin for other applications.
- Kismet: A packet sniffer and an intrusion detection system for 802.11 wireless networks (WiFi). It works with any wireless card supporting raw monitoring and can sniff 802.11b, 802.11a, and 802.11g traffic.
- TCPDUMP: A command line utility that analyzes traffic in a network. It allows the user to capture and view packets transmitted and received within the network the computer is connected to in real time.
Network Topology and Sniffers
The number of frames a sniffer can capture depends on the network topology, the way it is installed, and the transmission medium.
In older, star topology networks, a sniffer can be installed on any host, because the central hub forwards everything it receives to all the hosts, whereas in modern networks, where data is forwarded to the destination host only, a sniffer has to be located on the central hub to capture all the data frames.
For ring, dual ring, and bus topologies, a sniffer can be installed on any host, since they all share a common transmission medium.
In tree networks, the root node has access to the most frames, although, with more advanced switches, frames can travel directly between lower-level nodes without passing through the root node.
The use of switches and routers helps increase the network security by limiting the use of sniffers as frames are directed to their corresponding recipients only.
Protection Against Sniffers
As passive attackers, sniffers leave hardly any trace of interference and are difficult to detect. One way to identify them is to see if any NIC is in promiscuous mode.
One of the most effective methods to protect yourself against sniffers is by using data encryption. In this case, only those who know the key used for encryption can read the data. This method is used in most web pages that require data or passwords, since this is sensitive information that no one else should know.
You can also protect yourself using a sniffer which allows you to determine what data leaves the device and where it goes. A sniffer can detect another sniffer, obtain its IP and MAC address, and block it in the future. In addition, there are anti-spyware and anti-sniffing programs that can detect sniffing attacks in the network and block them.
Two other important security techniques you should keep in mind when protecting yourself against sniffers are network segmentation and encryption.
Sniffers are generally able to intercept data only within a network segment, meaning that the more segmented the network is, the less information they can capture. Switches and routers can help you with this.
Another solution is session encryption. The data is simply encrypted and rendered incomprehensible, so you do not have to worry about it being captured. You should always browse encrypted websites (https) and send important files in an encrypted form.
A much more effective and technically complex measure is using a VPN (Virtual Private Network) that encrypts all traffic and allows you to privately access websites, services, and applications. The widespread use of this strategy could make it difficult, maybe even impossible, for attackers to employ sniffers successfully.
Protection against sniffers has not lost its relevance: as their detection techniques are becoming increasingly sophisticated, new types of sniffers emerge almost instantly to try and outsmart them. However, to understand exactly what results you can expect from your tools, any security administrator should be familiar with all the tools that can help detect sniffers in their networks, as well as any bypassing techniques an attacker may use.
In the vast majority of cases, it remains a good security strategy to implement a program of regular network infrastructure checks to detect sniffers, deactivate promiscuous NICs, and trigger alarms.