Sniffing Out Packet Sniffers - Page 2

 By Brien M. Posey
Page 2 of 2   |  Back to Page 1
Print Article

Try watching for machines that are performing lots of DNS lookups. Although a high volume of DNS lookups alone doesn't necessarily indicate packet sniffing, it's a good indicator. If you suspect that a particular machine might be packet sniffing, try setting up a bait machine. A bait machine would be a PC that no one knows exists. Plug it up to the network and generate a small amount of network traffic. As you do, keep an eye on the DNS queries to see if the suspected machine ran a DNS query on the bait machine. If it did, then it's almost certainly sniffing packets.

Another popular method for spotting packet sniffing is to measure the response time of the suspected machine. This technique is tricky and fairly unreliable, but it will at least let you know if you're on the right track. The idea is to ping the suspected machine in order to measure the response time. After doing so, generate some network traffic that a suspected malevolent hacker might be interested in. Remember that someone who's sniffing packets probably wouldn't want to copy every packet because of the sheer volume of information. Instead, they would probably set up a packet filter and only copy the packets that they're interested in, such as those used for authentication. Therefore, have several of your co-workers log in and out repetitively while you re-measure the suspected PC's response time. If the response time hasn't changed much, then the PC probably isn't sniffing packets, but if you get a really slow response then there's a good chance that the PC is sniffing packets.

Utilities exist that use the methods that I've discussed and a few others to track down packet sniffers. One of the better tools is a program called AntiSniff. You can download a free 15 day-trial of the Windows version of AntiSniff or a free version for UNIX from www.securitysoftwaretech.com/antisniff/download.html.

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

This article was originally published on May 15, 2001
Get the Latest Scoop with Networking Update Newsletter