Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Packet Sniffing Overview Print E-mail
User Rating:      How can I rate this item?
Source: Suhas Desai - Posted by Benjamin D. Thomas   
Features A packet sniffer is a program which monitors network traffic which passes through your computer. A packet sniffer which runs on your PC connected to the internet using a modem, can tell you your current IP address as well as the IP addresses of the web servers whose sites you are visiting.

You can watch all the un-encrypted data that travels from your computer, onto the internet. This includes passwords and other sensitive data that is not secured by encryption. Put a packet sniffer on a router on the internet, and you can watch all the network traffic that passes through that router. This includes absolutely anyone whose data happens to pass through that router.

Sniffers are basically data interception programs. They work because the Ethernet was built around a principle of sharing. Most networks use what is known as broadcast technology, meaning that every message transmitted by one computer on a network can be read by any other computer on that network. In practice, all the other computers, except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages, even if they are not meant for them, by means of a sniffer.

A sniffer is usually passive, it only collects data. Hence, it becomes extremely difficult to detect sniffer. When installed on a computer, a sniffer will generate some small amount of traffic, though, and is therefore detectable. Detection methods:

1. Ping Method:

The trick used here is to send a ping request with the IP address of the suspect machine but not its MAC address. Ideally, no machine should see this packet, as each Ethernet adaptor will reject it since it does not match its own MAC address. If the suspect machine is running a sniffer, it will respond since it does not reject packets with a different destination MAC address. This is an old method and no longer reliable.

2. Address Resolution Protocol (ARP) Method:

A machine caches ARPs, so what we do is send a non-broadcast ARP. A machine in promiscuous mode will cache your ARP address. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.

3. on Local Host:

Often, after your machine has been compromised, hackers will leave sniffers on it in order to compromise other hosts. On a local machine, run ifconfig.

4. Latency Method:

This method is based on the assumption that most sniffers do some parsing. Simply put, in this method, a huge amount of data is sent on the network, and the suspect machine is pinged before and during the data flooding. If the machine is in promiscuous mode, it will parse the data, increasing the load on it. It will therefore take extra time to respond to the ping packet. This difference in response times can be used as an indicator of whether or not a machine is in promiscuous mode. A point worth noting is the packets may be delayed because of the load on the wire, resulting in false positives.


The best way to secure you against sniffing is to use encryption. While this won’t prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk.

Sniffing Tools

  • tcpdump: Tcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. One major drawback to tcpdump is the size of the flat file containing the text output. But tcpdump allows us to precisely see all the traffic and enables us to create statistical monitoring scripts.ns.

  • sniffit: Robust packet sniffer with good filtering.

  • Ethereal: A free network protocol analyzer for UNIX and Windows. It allows you to examine data from a live network or from a capture file on disk.

  • Hunt: The main goal of the HUNT project is to develop tools for exploiting well-known weaknesses in the TCP/IP protocol suite.

  • Dsniff: dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.


About the Author: Suhas A Desai

  • Undergraduate Computer Engineering Student,Walchand CE,Sangli,INDIA.

  • Previous Publications in area "Linux Based Biometrics Security with Smart Card" are include:ISA EXPO 2004,InTech Journal,TX,USA,IEEE Real Time and Embedded System symposium 2005,CA,USA.,e-Smart 2005,France.

  • Writes security newsletters and features for many security sites.

not enough explanantion... basic onlyWritten by mike on 2006-10-30 04:58:24
Nice, but i'd like more an indepth article on sniffers and more explanantion.  
Example, a - n00b - guy will now know when you start talking about " A machine in promiscuous ... ", without explaining what promiscuous mode is. 
Just a though for future whitepapers
responseWritten by chakravarthi on 2006-12-05 04:20:03
Good ,it cleared all my doubts
Very NiceWritten by sharmishta on 2007-02-02 03:31:24
Very Nice. 
It helped me looot.
Written by nice on 2007-04-09 04:42:41

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Feds Charged With Stealing Money During Silk Road Investigation
EFF questions US government's software flaw disclosure policy
Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.