> From: Gary Mills
> Sent: Thursday, January 29, 1998 1:20:42 PM
> To: firewalls @
> Subject: Sniffer tools
> I was at a security conference this year and someone mentioned a tool to
> find out if someone has a sniffer on your network. Does any one have a idea
> of what that might be?
> Gary Mills
> gary .
Since a Sniffer is a passive device, it is impossible to tell unless you monitor the
hardware such as a Unix box, that can be running the Sniffer. This has already
been pointed out. The best thing to do is take preventative measures. Switching is
very effective. If every device has it's own switched port, then anyone sniffing
on that port will only see traffic destined for the MAC address on that port.
Of course broadcasts are an exception, and yes a sophisticated hacker can
gleen some information from broadcasts that can be used to break in to
a host, but this requires a much greater level of sophistication than what it
takes to run a sniffer program. The other problem is that if someone runs a sniffer
on a server, that has multiple sessions on the same switched port, those sessions
will still be vulnerable to sniffing. Here you want to watch for promiscuous mode
etc. on the host as was discussed in other posts.
Another step you can take is encryption. Applications that encrypt passwords
is a good first step because it takes very little skill to run a Sniffer and find
passwords. Once you've got the passwords and logins, it's a no-brainer.
The next step is to encrypt the data itself.