The Dark Side of Packet Capture - Page 2

By O'Reilly Press | Posted Dec 4, 2001
Page 2 of 4   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

1.7.2. Protecting Yourself

Because of the potential for abuse, you should be very circumspect about who has access to packet capture tools. If you are operating in a Unix-only environment, you may have some success in restricting access to capture programs. packet capture programs should always be configured as privileged commands. If you want to allow access to a group of users, the recommended approach is to create an administrative group, restrict execution of packet capture programs to that group, and give group membership only to a small number of trusted individuals. This amounts to setting the SUID bit for the program, but limiting execution to the owner and any group members.

With some versions of Unix, you might even consider recompiling the kernel so the packet capture software can't be run on machines where it isn't needed. For example, with FreeBSD, it is very straightforward to disable the Berkeley packet filter in the kernel. (With older versions of FreeBSD, you needed to explicitly enable it.) Another possibility is to use interfaces that don't support promiscuous mode. Unfortunately, these can be hard to find.

There is also software that can be used to check to see if your interface is in promiscuous mode. You can do this manually with the ifconfig command. Look for PROMISC in the flags for the interface. For example, here is the output for one interface in promiscuous mode:

bsd2# ifconfig ep0
ep0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet 172.16.2.236 netmask 0xffffff00 broadcast 172.16.2.255
        inet6 fe80::260:97ff:fe06:2222%ep0 prefixlen 64 scopeid 0x2
        ether 00:60:97:06:22:22
        media: 10baseT/UTP
        supported media: 10baseT/UTP

Of course, you'll want to check every interface.

Alternately, you could use a program like cpm, check promiscuous mode from CERT/CC. lsof, described in , can be used to look for large open files that might be packet sniffer output. But if you have Microsoft Windows computers on your network or allow user-controlled computers on your network, this approach isn't enough.

While it may appear that packet capture is a purely passive activity that is undetectable, this is often not the case. There are several techniques and tools that can be used to indicate packet capture or to test remote interfaces to see if they are in promiscuous mode. One of the simplest techniques is to turn your packet capture software on, ping an unused IP address, and watch for DNS queries trying to resolve that IP address. An unused address should be ignored. If someone is trying to resolve the address, it is likely they have captured a packet.

Another possibility is the tool antisniff from L0pht Heavy Industries. This is a commercial tool, but a version is available for noncommercial uses. There are subtle changes in the behavior of an interface when placed in promiscuous mode. This tool is designed to look for those changes. It can probe the systems on a network, examine their responses, and usually determine which devices have an interface in promiscuous mode.

Another approach is to restructure your network for greater security. To the extent you can limit access to traffic, you can reduce the packet capture. Use of virtual LANs can help, but no approach is really foolproof. Ultimately, strong encryption is your best bet. This won't stop sniffing, but it will protect your data. Finally, it is always helpful to have clearly defined policies. Make sure your users know that unauthorized packet capture is not acceptable.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter