Sniffing Out Packet Sniffers - Page 2

By  Brien M. Posey | May 15, 2001
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Try watching for machines that are performing lots of DNS lookups. Although a high volume of DNS lookups alone doesn't necessarily indicate packet sniffing, it's a good indicator. If you suspect that a particular machine might be packet sniffing, try setting up a bait machine. A bait machine would be a PC that no one knows exists. Plug it up to the network and generate a small amount of network traffic. As you do, keep an eye on the DNS queries to see if the suspected machine ran a DNS query on the bait machine. If it did, then it's almost certainly sniffing packets.

Another popular method for spotting packet sniffing is to measure the response time of the suspected machine. This technique is tricky and fairly unreliable, but it will at least let you know if you're on the right track. The idea is to ping the suspected machine in order to measure the response time. After doing so, generate some network traffic that a suspected malevolent hacker might be interested in. Remember that someone who's sniffing packets probably wouldn't want to copy every packet because of the sheer volume of information. Instead, they would probably set up a packet filter and only copy the packets that they're interested in, such as those used for authentication. Therefore, have several of your co-workers log in and out repetitively while you re-measure the suspected PC's response time. If the response time hasn't changed much, then the PC probably isn't sniffing packets, but if you get a really slow response then there's a good chance that the PC is sniffing packets.

Utilities exist that use the methods that I've discussed and a few others to track down packet sniffers. One of the better tools is a program called AntiSniff. You can download a free 15 day-trial of the Windows version of AntiSniff or a free version for UNIX from www.securitysoftwaretech.com/antisniff/download.html.

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

brien_posey@xpressions.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >