I am sure most of you have heard the term "packet sniffer".
My question is, do you know what they are and how they can help/hinder
you? In this article I would like to introduce three of the most
powerful packet sniffers available. The most attractive feature
of all of these sniffers is that they are free. You read that right.
They are 100% free. They are also available for a variety of platforms.
I am sure you already know what I am going to say next. These
are tools that hackers use every day. Make sure that you have
permission to be using these tools. You can be arrested, fined,
and even imprisoned for using these tools where you shouldn't
be using them.
I do not condone the use of these tools for any purpose other
than to educate yourself and to establish and test security on
your own network. In other words, use your head and don't do anything
that will get you in trouble. 'Nuff said.
Now, get a fresh cup of coffee, lock the office door, and let's
do some sniffing! Read on, download, and enjoy!
A packet sniffer is probably best known for its ability to "sniff"
plain text passwords. Be aware that this is not the only use for
packet sniffers. Packet sniffers can also be used for many types
of network analysis including traffic analysis and dropped packet
analysis. Excellent documentation can be found at the Ethereal and
Analyzer home pages (see below). Also, there are techniques to detect
a machine that is sniffing packets on your network; go here to find
A packet sniffer is rarely the only tool used for an attack.
The reason for this is simple. A sniffer only works in what is
known as a common collision domain. A common collision domain
is a network segment that is not switched or bridged (ie. connected
hub). Any traffic that is not switched or bridged on a network
segment can be seen by all machines on that segment.
Certification Program is dedicated to
ensuring you have the right skills
for success in today's fast paced,
In other words, let's say that you have a network segment that
is part of a larger subnet. All of the machines in this segment
are connected to a hub (rather than a switch). All of the other
segments of this subnet are configured in the same manner. Now,
assume all of
these seperate network segments are connected to each other via
a switch (see my cheesy diagram below). A packet sniffer being
run on segment A will not see any traffic from segments B or C
traffic or traffic aimed directly at the machine running the
sniffer. Now, if all of the segments were connected to each other
through a hub (rather than a switch), a packet sniffer on segment A
would see traffic in segments B and C.
There are generally only two ways that a sniffer can be used against
you. The first instance would be when your physical security has
been compromised. This is when some rogue machine can actually
physically connect to your network. (ie. someone walks in with
a laptop and plugs into your network) Now I have an interesting
point in regard to this involving wireless LAN technology. Someone
sitting in the parking lot with a laptop and a wireless NIC can
connect to your network the same as if he walked through the front
door and plugged directly into your hub. That is why I always
recommend using password encryption, especially with wireless
networks. Chances are, anyone who comes up against encrypted passwords
on your network will just move on to the next network.
The second method usually involves a Trojan horse. The two
that I am most aware of are known as Back Orifice and Netbus.
These are softwares that can be easily hidden on your machine
and can give the attacker more control of your keyboard and
mouse than you have. (It is very similar in concept to VNC Viewer
from AT+T labs - Check this article out: http://www.networknewz.com/2001/0702.html)
I am more familiar with Back Orifice than Netbus, so I will
use it for an example. The attack is usually deployed by someone
who has discreetly attached the Back Orifice server (which is
tiny) to some executable and then mailed it to the victim. A
plugin known as "Butt Trumpet" is usually used in
conjunction with the Back Orifice Trojan. Butt Trumpet will
send the attacker an email (to his anonymous free email account)
when the server has been installed. Once the attacker knows
that the victim's machine has been compromised, the attacker
could then send another email to the machine with a packet sniffer
attached and no one would be there to stop the attacker from
installing and using it, that is if the attacker was in the
least bit discreet.
By the way, Back Orifice hides all of the installation files
after it has been installed so that it is very difficult to
detect. If you suspect that you have a machine that is infected
with Back Orifice, you will need to download software over the
internet that can check to see if your machine is infected.
If it is in fact infected, you will have to download more software
to remove it.
To learn more about Back Orifice and Netbus detection and removal,
To find out more than you probably need to know about Back Orifice,
Think Oracle9i- the complete e-business
All you need to meet the
demands of e-business. Oracle has defined
nine keys to success. Click here for this
week's key. Think Fast, Think Simple,
Now, out with the software. The three softwares listed are free
and fall under either the GNU Public License (GPL) available here:
or under a BSD style license (for Analyzer) available here:
==> Ethereal 0.8.18 Freeware GPL license
Windows (6.05 Mb)
Linux/Unix/BSD source (1.8 Mb)
Mac OS-X (1.35 Mb)
Ethereal is available as binaries for almost any platform that
you can imagine: http://www.ethereal.com/download.html
Ethereal is a free network protocol analyzer for Unix and Windows.
It allows you to examine data from a live network or from a capture
file on disk. You can interactively browse the capture data, viewing
summary and detail information for each packet. Ethereal has several
powerful features, including a rich display filter language and
the ability to view the reconstructed stream of a TCP session.
Recent versions of Ethereal have included many enhancements to
the interface. Under the "Display" menu, you can now
jump to a particular frame, find a frame in the list, and match
a frame's component. The filter entry box now sports a popup list,
similar to many web browsers. The TCP stream window can display
the client and server data in different colors.
For excellent documentation on Ethereal go here:
==> dsniff 2.3 Freeware GPL license
Linux/Unix/BSD source (132 Kb)
Windows port (older version- 1.8) (287 Kb)
dsniff is a collection of tools for network auditing and penetration
testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and
webspy passively monitor a network for interesting data (passwords,
e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate
the interception of network traffic normally unavailable to an
attacker (e.g, due to layer-2 switching). sshmitm and webmitm
implement active monkey-in-the-middle attacks against redirected
SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
These tools were written with honest intentions - to audit the
author's network, and to demonstrate the insecurity of most network
application protocols. Please do not abuse this software.
FAQ is here:
Additional Windows info:
==> Analyzer 2.1 Freeware BSD style license
Windows (2.04 Mb)
NOTE: Requires WinPcap (679 Kb) available here:
Analyzer is a fully configurable network analyzer program for
Win32 environment. Analyzer is able to capture packets on all
platforms (and link-layer technologies) supported by WinPcap.
This program is current being developed at Politecnico di Torino;
main contributors include Loris Degioanni, Paolo Politano, Fulvio
Risso and Piero Viano and it is released under a BSD-style licence.
This work has been partially sponsored by Microsoft Research.
WARNING: Analyzer is a tool that is still under development.
Please be patient when you use it.
NOTE: Install WinPcap before analyzer. It is the packet driver
that Analyzer relies on for operation.
For more security related information and downloads check out
We at the Editorial Team would like to thank all our readers
for reading NetworkNewz. We hope you find this information useful.
Also, questions, suggestions and comments are always welcome.