Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z - Internet FAQ Archives

computer-security/sniffers FAQ

[ Usenet FAQs | Web FAQs | Documents | RFC Index | Forum archive ]
Archive-name: computer-security/sniffers
Posting-frequency: monthly
Last-modified: 1996/7/15
Version: 3.00

See reader questions & answers on this topic! - Help others by sharing your knowledge
Sniffer FAQ

Version: 3.00
This Security FAQ is a resource provided by:

     Internet Security Systems, Inc.
     Suite 660, 41 Perimeter Center East          Tel: (770) 395-0150
     Atlanta, Georgia 30346                       Fax: (770) 395-1972

To get the newest updates of Security files check the following services:
     ftp /pub/

To subscibe to the update mailing list, Alert, send an e-mail to and, in the text of your message (not the subject
line), write:

     subscribe alert

This Sniffer FAQ will hopefully give administrators a clear understanding of
sniffing problems and hopefully possible solutions to follow up with.
Sniffers is one of the main causes of mass break-ins on the Internet today.

This FAQ will be broken down into:

   * What a sniffer is and how it works
   * Where are sniffers available
   * How to detect if a machine is being sniffed
   * Stopping sniffing attacks:
        o Active hubs
        o Encryption
        o Kerberos
        o One-time password technology
        o Non-promiscuous interfaces


What a sniffer is and how it works

Unlike telephone circuits, computer networks are shared communication
channels. It is simply too expensive to dedicate local loops to the switch
(hub) for each pair of communicating computers. Sharing means that computers
can receive information that was intended for other machines. To capture the
information going over the network is called sniffing.

Most popular way of connecting computers is through ethernet. Ethernet
protocol works by sending packet information to all the hosts on the same
circuit. The packet header contains the proper address of the destination
machine. Only the machine with the matching address is suppose to accept the
packet. A machine that is accepting all packets, no matter what the packet
header says, is said to be in promiscuous mode.

Because, in a normal networking environment, account and password
information is passed along ethernet in clear-text, it is not hard for an
intruder once they obtain root to put a machine into promiscuous mode and by
sniffing, compromise all the machines on the net.


Where are sniffers available

Sniffing is one of the most popular forms of attacks used by hackers. One
special sniffer, called Esniff.c, is very small, designed to work on Sunos,
and only captures the first 300 bytes of all telnet, ftp, and rlogin
sessions. It was published in Phrack, one of the most widely read freely
available underground hacking magazines. You can find Phrack on many FTP
sites. Esniff.c is also available on many FTP sites such as

You may want to run Esniff.c on an authorized network to quickly see how
effective it is in compromising local machines.

Other sniffers that are widely available which are intended to debug network
problems are:

   * RealSecure (real time monitoring, attack recognition and response) on
     SunOs 4.1.x, Solaris 2.5, and Linux. Available at
   * SniffIt for Linux, SunOs, Solaris, FreeBsd,and IRIX available at
   * Etherfind on SunOs4.1.x
   * Snoop is a utility on Solaris.
   * Tcpdump 3.0 uses bpf for a multitude of platforms.
   * Packetman, Interman, Etherman, Loadman works on the following
     SunOS, Dec-Mips, SGI, Alpha, and Solaris. It is available on[sun4c|dec-mips|sgi|alpha|solaris2]/
     Packetman was designed to capture packets, while Interman, Etherman,
     and Loadman monitor traffic of various kinds.

     DOS based sniffers

   * Gobbler for IBM DOS Machines
   * ethdump v1.03
     Available on ftp
   * ethload v1.04
     Companion utility to a ethernet monitor. Available on ftp

Commercial Sniffers are available at:

   * Klos Technologies, Inc.

          PacketView - Low cost network protocol analyzer

          Phone: 603-424-8300
          BBS: 603-429-0032

   * Network General.

          Network General produces a number of products. The most
          important are the Expert Sniffer, which not only sniffs on
          the wire, but also runs the packet through a high-performance
          expert system, diagnosing problems for you. There is an
          extension onto this called the "Distributed Sniffer System"
          that allows you to put the console to the expert sniffer on
          you Unix workstation and to distribute the collection agents
          at remote sites.

   * Microsoft's Net Monitor

          " My commercial site runs many protocols on one wire -
          NetBeui, IPX/SPX, TCP/IP, 802.3 protocols of various flavors,
          most notably SNA. This posed a big problem when trying to
          find a sniffer to examine the network problems we were
          having, since I found that some sniffers that understood
          Ethernet II parse out some 802.3 traffic as bad packets, and
          vice versa. I found that the best protocol parser was in
          Microsoft's Net Monitor product, also known as Bloodhound in
          its earlier incarnations. It is able to correctly identify
          such oddities as NetWare control packets, NT NetBios name
          service broadcasts, etc, which etherfind on a Sun simply
          registered as type 0000 packet broadcasts. It requires MS
          Windows 3.1 and runs quite fast on a HP XP60 Pentium box. Top
          level monitoring provides network statistics and information
          on conversations by mac address (or hostname, if you bother
          with an ethers file). Looking at tcpdump style details is as
          simple as clicking on a conversation. The filter setup is
          also one of the easiest to implement that I've seen, just
          click in a dialog box on the hosts you want to monitor. The
          number of bad packets it reports on my network is a tiny
          fraction of that reported by other sniffers I've used. One of
          these other sniffers in particular was reporting a large
          number of bad packets with src mac addresses of
          aa:aa:aa:aa:aa:aa but I don't see them at all using the MS
          product. - Anonymous


How to detect a sniffer running.

To detect a sniffing device that only collects data and does not respond to
any of the information, requires physically checking all your ethernet
connections by walking around and checking the ethernet connections

It is also impossible to remotely check by sending a packet or ping if a
machine is sniffing.

A sniffer running on a machine puts the interface into promiscuous mode,
which accepts all the packets. On some Unix boxes, it is possible to detect
a promiscuous interface. It is possible to run a sniffer in non-promiscuous
mode, but it will only capture sessions from the machine it is running on.
It is also possible for the intruder to do similiar capture of sessions by
trojaning many programs such as sh, telnet, rlogin, in.telnetd, and so on to
write a log file of what the user did. They can easily watch the tty and
kmem devices as well. These attacks will only compromise sessions coming
from that one machine, while promiscuous sniffing compromises all sessions
on the ethernet.

For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a

     "ifconfig -a"

that will tell you information about all the interfaces and if they are in
promiscuous mode. DEC OSF/1 and IRIX and possible other OSes require the
device to be specified. One way to find out what interface is on the system,
you can execute:

     # netstat -r
     Routing tables

     Destination      Gateway            Flags     Refs     Use  Interface
     default            UG          1    24949  le0
     localhost        localhost          UH          2       83  lo0

Then you can test for each interface by doing the following command:

     #ifconfig le0
             inet netmask 0xffffff00 broadcast

Intruders often replace commands such as ifconfig to avoid detection. Make
sure you verify its checksum.

There is a program called cpm available on that
only works on Sunos and is suppose to check the interface for promiscuous

Ultrix can possibly detect someone running a sniffer by using the commands
pfstat and pfconfig.

pfconfig allows you to set who can run a sniffer
pfstat shows you if the interface is in promiscuous mode.

These commands only work if sniffing is enabled by linking it into the
kernel. by default, the sniffer is not linked into the kernel. Most other
Unix systems, such as Irix, Solaris, SCO, etc, do not have any flags
indication whether they are in promiscuous mode or not, therefore an
intruder could be sniffing your whole network and there is no way to detect

Often a sniffer log becomes so large that the file space is all used up. On
a high volume network, a sniffer will create a large load on the machine.
These sometimes trigger enough alarms that the administrator will discover a
sniffer. I highly suggest using lsof (LiSt Open Files) available from for finding log files and finding
programs that are accessing the packet device such as /dev/nit on SunOs.

There is no commands I know of to detect a promiscuous IBM PC compatible
machine, but they atleast usually do not allow command execution unless from
the console, therefore remote intruders can not turn a PC machine into a
sniffer without inside assistance.


Stopping sniffing attacks

Active hubs send to each system only packets intended for it rendering
promiscuous sniffing useless. This is only effective for 10-Base T.

The following vendors have available active hubs:

   * Cisco
   * 3Com
   * HP



There are several packages out there that allow encryption between
connections therefore an intruder could capture the data, but could not
decypher it to make any use of it.

Some packages available are:

   * ssh is available at .

   * deslogin is one package available at ftp .

   * swIPe is another package available at

   * Netlock encrypts all (tcp, udp, and raw ip based) communications
     transparently. It has automatic (authenticated Diffie-Helman)
     distibuted key management mechanism for each host and runs on the SUN
     4.1 and HP 9.x systems. The product comes with a Certification
     Authority Management application which generates host certificates
     (X.509) used for authentication between the hosts. and provides
     centralized control of each Hosts communications rules.

     The product is built by Hughes Aircraft and they can be reached at
     800-825-LOCK or email at



Kerberos is another package that encrypts account information going over the
network. Some of its draw backs are that all the account information is held
on one host and if that machine is compromised, the whole network is
vulnerable. It is has been reported a major difficulty to set up. Kerberos
comes with a stream-encrypting rlogind, and stream-encrypting telnetd is
available. This prevents intruders from capturing what you did after you
logged in.

There is a Kerberos FAQ at ftp at in
or try:


One time password technology

S/key and other one time password technology makes sniffing account
information almost useless. S/key concept is having your remote host already
know a password that is not going to go over insecure channels and when you
connect, you get a challenge. You take the challenge information and
password and plug it into an algorithm which generates the response that
should get the same answer if the password is the same on the both sides.
Therefore the password never goes over the network, nor is the same
challenge used twice. Unlike SecurID or SNK, with S/key you do not share a
secret with the host. S/key is available on

OPIE is the successor of Skey and is available at

Other one time password technology is card systems where each user gets a
card that generates numbers that allow access to their account. Without the
card, it is improbable to guess the numbers.

The following are companies that offer solutions that are provide better
password authenication (ie, handheld password devices):

Secure Net Key (SNK)

Digital Pathways, Inc.
201 Ravendale Dr. Mountainview, Ca.
97703-5216 USA

Phone: 415-964-0707 Fax: (415) 961-7487


Security Dynamics,
One Alewife Center
Cambridge, MA 02140-2312
USA Phone: 617-547-7820
Fax: (617) 354-8836
SecurID uses time slots as authenication rather than challenge/response.

ArKey and OneTime Pass

Management Analytics
PO Box 1480
Hudson, OH 44236
Tel:US+216-686-0090 Fax: US+216-686-0092

OneTime Pass (OTP):
This program provides unrestricted one-time pass codes on a user by user
basis without any need for cryptographic protocols or hardware devices. The
user takes a list of usable pass codes and scratches out each one as it is
used. The system tracks usage, removing each passcode from the available
list when it is used. Comes with a very small and fast password tester and
password and pass phrase generation systems.

This is the original Argued Key system that mutually authenticates users and
systems to each other based on their common knowledge. No hardware
necessary. Comes with a very small and fast password tester and password and
pass phrase generation systems.

WatchWord and WatchWord II

480 Spring Park Place
Herndon, VA 22070
1-800-521-6261 ext 217


Arnold Consulting, Inc.
2530 Targhee Street, Madison, Wisconsin
53711-5491 U.S.A.
Phone : 608-278-7700 Fax: 608-278-7701
Email: Stephen.L.Arnold@Arnold.Com
CRYPTOCard is a modern, SecureID-sized, SNK-compatible device.


Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
510-827-5707 Fax: (510)827-2593
For information about Enigma ftp to: in directory

Secure Computing Corporation:

2675 Long Lake Road
Roseville, MN 55113
Tel: (612) 628-2700
Fax: (612) 628-2701


Non-promiscuous Interfaces

You can try to make sure that most IBM DOS compatible machines have
interfaces that will not allow sniffing. Here is a list of cards that do not
support promiscuous mode:

Test the interface for promiscuous mode by using the Gobbler. If you find a
interface that does do promiscuous mode and it is listed here, please e-mail so I can remove it ASAP.

     IBM Token-Ring Network PC Adapter
     IBM Token-Ring Network PC Adapter II (short card)
     IBM Token-Ring Network PC Adapter II (long card)
     IBM Token-Ring Network 16/4 Adapter
     IBM Token-Ring Network PC Adapter/A
     IBM Token-Ring Network 16/4 Adapter/A
     IBM Token-Ring Network 16/4 Busmaster Server Adapter/A

The following cards are rumoured to be unable to go into promiscuous mode,
but that the veracity of those rumours is doubtful.

     Microdyne (Excelan) EXOS 205
     Microdyne (Excelan) EXOS 205T
     Microdyne (Excelan) EXOS 205T/16
     Hewlett-Packard 27250A EtherTwist PC LAN Adapter Card/8
     Hewlett-Packard 27245A EtherTwist PC LAN Adapter Card/8
     Hewlett-Packard 27247A EtherTwist PC LAN Adapter Card/16
     Hewlett-Packard 27248A EtherTwist EISA PC LAN Adapter Card/32
     HP 27247B EtherTwist Adapter Card/16 TP Plus
     HP 27252A EtherTwist Adapter Card/16 TP Plus
     HP J2405A EtherTwist PC LAN Adapter NC/16 TP

Adapters based upon the TROPIC chipset generally do not support promiscuous
mode. The TROPIC chipset is used in IBM's Token Ring adapters such as the
16/4 adapter. Other vendors (notably 3Com) also supply TROPIC based
adapters. TROPIC-based adapters do accept special EPROMs, however, that will
allow them to go into promiscuous mode. However, when in promiscuous mode,
these adapters will spit out a "Trace Tool Present" frame.



I would like to thank the following people for the contribution to this FAQ
that has helped to update and shape it:

   * Padgett Peterson (
   * Steven Bellovin (
   * Wietse Venema (
   * Robert D. Graham (robg@NGC.COM)
   * Kevin Martinez (
   * Frederick B. Cohen (
   * James Bonfield (
   * Marc Horowitz (marc@MIT.EDU)
   * Steve Edwards (
   * Andy Poling (
   * Jeff Collyer (
   * Sara Gordon (



This paper is Copyright (c) 1994, 1995, 1996
   by Christopher Klaus of Internet Security Systems, Inc.

Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for


The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Address of Author

Please send suggestions, updates, and comments to:
Christopher Klaus <> of Internet Security Systems, Inc.

Internet Security Systems, Inc.

ISS is the leader in network security tools and technology through
innovative audit, correction, and monitoring software. The Atlanta-based
company's flagship product, Internet Scanner, is the leading commercial
attack simulation and security audit tool. The Internet Scanner SAFEsuite is
based upon ISS' award-winning Internet Scanner and was specifically designed
with expanded capabilities to assess a variety of network security issues
confronting web sites, firewalls, servers and workstations. The Internet
Scanner SAFEsuite is the most comprehensive security assessment tool
available. For more information about ISS or its products, contact the
company at (770) 395-0150 or e-mail at ISS maintains a Home
Page on the World Wide Web at
Christopher William Klaus            Voice: (770)395-0150. Fax: (770)395-1972
Internet Security Systems, Inc.              "Internet Scanner SAFEsuite finds
Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes
Web:  Email:        before the hackers do."

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:

Last Update March 27 2014 @ 02:11 PM