Earn an NSA recognized IA Masters Online - The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
Packet Sniffing Overview
Suhas Desai
A packet sniffer is a program which monitors network traffic which passes through your computer. A packet sniffer which runs on your PC connected to the internet using a modem, can tell you your current IP address as well as the IP addresses of the web servers whose sites you are visiting. You can watch all the un-encrypted data that travels from your computer, onto the internet. This includes passwords and other sensitive data that is not secured by encryption. Put a packet sniffer on a router on the internet, and you can watch all the network traffic that passes through that router. This includes absolutely anyone whose data happens to pass through that router.
Sniffers are basically data interception programs. They work because the Ethernet was built around a principle of sharing. Most networks use what is known as broadcast technology, meaning that every message transmitted by one computer on a network can be read by any other computer on that network. In practice, all the other computers, except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages, even if they are not meant for them, by means of a sniffer.
A sniffer is usually passive, it only collects data. Hence, it becomes extremely difficult to detect sniffer. When installed on a computer, a sniffer will generate some small amount of traffic, though, and is therefore detectable. Detection methods:
1. Ping Method:
The trick used here is to send a ping request with the IP address of the suspect machine but not its MAC address. Ideally, no machine should see this packet, as each Ethernet adaptor will reject it since it does not match its own MAC address. If the suspect machine is running a sniffer, it will respond since it does not reject packets with a different destination MAC address. This is an old method and no longer reliable.
2. Address Resolution Protocol (ARP) Method:
A machine caches ARPs, so what we do is send a non-broadcast ARP. A machine in promiscuous mode will cache your ARP address. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.
3. on Local Host:
Often, after your machine has been compromised, hackers will leave sniffers on it in order to compromise other hosts. On a local machine, run ifconfig.
4. Latency Method:
This method is based on the assumption that most sniffers do some parsing. Simply put, in this method, a huge amount of data is sent on the network, and the suspect machine is pinged before and during the data flooding. If the machine is in promiscuous mode, it will parse the data, increasing the load on it. It will therefore take extra time to respond to the ping packet. This difference in response times can be used as an indicator of whether or not a machine is in promiscuous mode. A point worth noting is the packets may be delayed because of the load on the wire, resulting in false positives.
Read Full Article: features/features/packet-sniffing-overview
The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network.
Guardian Digital Makes Email Safe For Business - Microsoft 365, Goo....
LinuxSecurity.com Feature Extras:
EnGarde Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New OpenOffice.org packages fix arbitrary code execution | ||
|
6th, July, 2006
Loading malformed XML documents can cause buffer overflows in OpenOffice.org, a free office suite, and cause a denial of service or execute arbitrary code. It turned out that the correction in DSA 1104-1 was not sufficient, hence, another update. advisories/debian/debian-new-openofficeorg-packages-fix-arbitrary-code-execution-79391 |
||
| Debian: New xine-lib packages fix denial of service | ||
|
7th, July, 2006
Federico L. Bossi Bonin discovered a buffer overflow in the HTTP Plugin in xine-lib, the xine video/media player library, taht could allow a remote attacker to cause a denial of service. advisories/debian/debian-new-xine-lib-packages-fix-denial-of-service |
||
| Debian: New ppp packages fix privilege escalation | ||
|
10th, July, 2006
Marcus Meissner discovered that the winbind plugin in pppd does not check whether a setuid() call has been successful when trying to drop privileges, which may fail with some PAM configurations. |
||
| Debian: New GnuPG packages fix denial of service | ||
|
10th, July, 2006
Evgeny Legerov discovered that gnupg, the GNU privacy guard, a free PGP replacement contains an integer overflow that can cause a segmentation fault and possibly overwrite memory via a large user ID strings. advisories/debian/debian-new-gnupg-packages-fix-denial-of-service-59773 |
||
| Debian: New mutt packages fix arbitrary code execution | ||
|
10th, July, 2006
Updated package. advisories/debian/debian-new-mutt-packages-fix-arbitrary-code-execution |
||
| Mandriva | ||
| Mandriva: Updated libmms packages fix buffer overflow vulnerability | ||
|
7th, July, 2006
Stack-based buffer overflow in MiMMS 0.0.9 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions. Libmms uses the same vulnerable code. The updated packages have been patched to correct this issue. |
||
| Mandriva: Updated OpenOffice.org packages fix various vulnerabilities | ||
|
8th, July, 2006
OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-complicit attackers to conduct unauthorized activities via an OpenOffice document with a malicious BASIC macro, which is executed without prompting the user. |
||
| Mandriva: Updated ppp packages fix plugin vulnerability | ||
|
11th, July, 2006
Marcus Meissner discovered that pppd's winbind plugin did not check for the result of the setuid() call which could allow an attacker to exploit this on systems with certain PAM limits enabled to execute the NTLM authentication helper as root. This could possibly lead to privilege escalation dependant upon the local winbind configuration. Updated packages have been patched ot correct this issue. |
||
| Mandriva: Updated samba packages fix DoS vulnerability | ||
|
11th, July, 2006
A vulnerability in samba 3.0.x was discovered where an attacker could cause a single smbd process to bloat, exhausting memory on the system. This bug is caused by continually increasing the size of an array which maintains state information about the number of active share connections. Updated packages have been patched to correct this issue. |
||
| Mandriva: Updated cups packages to address initscript bug | ||
|
11th, July, 2006
A bug in the cupsd initscript could prevent a system from coming fully online if the CUPS daemon does not get actually started (for example if CUPS config or cache file are corrupted or port 631 blocked) by continuously attempting to see if the cups server is available without a timeout. Updated packages are provided that correct the issue. |
||
| Mandriva: Updated libmms packages fix buffer overflow vulnerability | ||
|
12th, July, 2006
The previous update for libmms had an incorrect/incomplete patch. This update includes a more complete fix for the issue. |
||
| Mandriva: Updated xine-lib packages fix buffer overflow vulnerability | ||
|
12th, July, 2006
The updated packages have been patched to correct this issue. |
||
| Mandriva: Updated apache2 packages to address logging bug | ||
|
12th, July, 2006
A patch applied to the build of apache2, when built on x86_64, can cause various issues in logging. |
||
| Red Hat | ||
| RedHat: Important: kernel security update | ||
|
7th, July, 2006
Updated kernel packages that fix a privilege escalation security issue in the Red Hat Enterprise Linux 4 kernel are now available. This security advisory has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-kernel-security-update-85756 |
||
| RedHat: Important: vixie-cron security update | ||
|
12th, July, 2006
Updated vixie-cron packages that fix a privilege escalation issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-vixie-cron-security-update-RHSA-2006-0539-01 |
||
| RedHat: Moderate: php security update | ||
|
12th, July, 2006
Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-php-security-update-38610 |
||
| RedHat: Moderate: mutt security update | ||
|
12th, July, 2006
Updated mutt packages that fix a security issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-mutt-security-update-RHSA-2007-0386-01 |
||
