A sniffer is any device, whether software or hardware, that grabs information traveling along a network. That network could be running any protocol: Ethernet, TCP/IP, IPX, or others (or any combination of these). The purpose of the sniffer is to place the Ethernet adapter into promiscuous mode and by doing so, to capture all network traffic.
A sniffer can be a combination of both hardware and software. The software might be a general network analyzer enabled with heavy debugging options, or it might be a real sniffer.
NOTE: Promiscuous mode refers to that mode where workstations on a network listen to all traffic, not simply their own. In other words, Non-promiscuous mode is where a workstation only listens to traffic routed to its own address. In promiscuous mode, the workstation listens to all traffic, no matter what address this traffic was intended for.
A sniffer must be located within the same network block (or net of trust) as the network it is intended to sniff. With relatively few exceptions, that sniffer could be placed anywhere within that block.
However, sniffers can catch more than simply user IDs and passwords; they can capture sensitive financial data (credit-card numbers), confidential information (e-mail), and proprietary information. Depending on the resources available to the cracker, a sniffer is capable of capturing nearly all traffic on a network.
Sniffers are designed as devices that can diagnose network problems and monitor network activities. Sniffers were designed by those aiding network engineers (and not for the purpose of compromising networks).
pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1030 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1030 [1] 2977\r\ncs:/user/f pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1030 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 \r\n\r\nUNIX(r) System V pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 c cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 c pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 a cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 a pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 l cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 l pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 v cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 v pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 i cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 i pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 n cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 n pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 Password: pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 T cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 i cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 g cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 e cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 r cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 7 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 = cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 $ cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 Last login: Mon Aug pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 cs:/user/faculty/cal pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 l cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 l pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 s cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 s pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 - cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 - pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 l cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 l pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 \303\321 112\r\ndrwxr-xr-x cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 drwxr-xr-x 3 calvi pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 cs:/user/faculty/cal pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 p cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 p pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 a cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 a pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 s cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 s pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 s cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 s pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 w cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 w pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 d cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 d pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 passwd: Changing pa pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 T cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 i cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 g cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 e cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 r cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 7 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 = cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 $ cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188 cs -> pc_rhee.sookmyung.ac.kr TELNET R port=1188 pc_rhee.sookmyung.ac.kr -> cs TELNET C port=1188
cs# ls 203.252.195.1.110-203.252.195.191.1297 203.252.195.1.20-203.252.195.2.1034 203.252.195.1.20-203.252.195.2.1035 203.252.195.1.21-203.252.195.2.1033 203.252.195.1.23-203.252.195.2.1032 203.252.195.1.23-203.252.195.65.1030 203.252.195.191.1297-203.252.195.1.110 203.252.195.2.1032-203.252.195.1.23 203.252.195.2.1033-203.252.195.1.21 203.252.195.2.1034-203.252.195.1.20 203.252.195.2.1035-203.252.195.1.20 203.252.195.65.1030-203.252.195.1.23 cs# more 2* :::::::::::::: 203.252.195.1.110-203.252.195.191.1297 :::::::::::::: +OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at cs starting. +OK Password required for hrshin. +OK hrshin has 0 message(s) (0 octets). +OK 0 0 +OK Pop server at cs signing off. :::::::::::::: 203.252.195.191.1297-203.252.195.1.110 :::::::::::::: USER hrshin PASS shr1234 STAT QUIT :::::::::::::: 203.252.195.1.21-203.252.195.2.1033 :::::::::::::: 220 cs FTP server (UNIX(r) System V Release 4.0) ready. 331 Password required for rhee. 230 User rhee logged in. 200 PORT command successful. 150 ASCII data connection for /bin/ls (203.252.195.2,1034) (0 bytes). 226 ASCII Transfer complete. 200 PORT command successful. 150 ASCII data connection for certcc-msg (203.252.195.2,1035) (764 bytes). :::::::::::::: 203.252.195.2.1033-203.252.195.1.21 :::::::::::::: USER rhee PASS Quick297 PORT 203,252,195,2,4,10 LIST PORT 203,252,195,2,4,11 RETR certcc-msg QUIT :::::::::::::: 203.252.195.1.20-203.252.195.2.1035 :::::::::::::: ¼ö°íÇϽʴϴÙ. Àú´Â ¼÷¸í¿©´ë Àü»êÇаú ½Ã½ºÅÛ°ü¸®ÀÚÀÔ´Ï´Ù. À¥ºê¶ó¿ìÀú »ó¿¡¼ ¿Â¶óÀÎ ½ÃÅ¥¾î ´ÚÅÍ º¸¾È Á¡°ËÀ» ¿äûÇÏ¿´À¸³ª °è¼Ó ¾Æ·¡¿Í °°Àº ¸Þ½ÃÁö¸¸ ¶ß¸é¼ Á¡°ËÀ» °ÅºÎ´çÇÏ°í ÀÖ½À´Ï´Ù. IP Addressµµ Á¤È®È÷ ÀÔ·ÂÇÏ¿´°í, ½Ã½ºÅÛ Äֿܼ¡¼ ³×Æ®½ºÄÉÀÌÇÁ¸¦ »ç¿ëÇÏ¿© ½ÅûÇÏ¿´½À´Ï´Ù. Âü°í·Î, ½Ã½ºÅÛÀº Solaris 2.5.1ÀÔ´Ï´Ù. ÁüÀ۵Ǵ ÀÌÀ¯¸¦ ¾Ë·ÁÁÖ¼ÌÀ¸¸é ÇÕ´Ï´Ù. > Á¤º¸ °ËÁõ ¿À·ù > »ç¿ëÀÚ¿¡ ÀÇÇØ Á¦°øµÈ ½Ã½ºÅÛ Á¤º¸¸¦ °ËÁõÇÑ °á°ú ºÎÀûÀýÇÑ °ÍÀ¸·Î > ÆǸíµÇ¾ú½À´Ï´Ù. ¿Â¶óÀÎ ½ÃÅ¥¾î ´ÚÅÍ´Â ¼ºñ½º¸¦ Á¦°øÇÏÁö ¾Ê±â·Î > °áÁ¤ÇÏ¿´½À´Ï´Ù. > ¸¸¾à Á¡°ËÇÏ°íÀÚ ÇÏ´Â ½Ã½ºÅÛ¿¡¼ ½ÅûÀ» ÇÏÁö ¾ÊÀ¸¸é Á¤º¸ °ËÁõ¿À·ù°¡ > ¹ß»ýÇÏ¿© Á¡°ËÇÒ ¼ö ¾ø½À´Ï´Ù. > > Á¡°ËÀ» °è¼ÓÇÏ·Á¸é Ãë¼Ò ´ÜÃ߸¦ ´·¯ ÁֽʽÿÀ. Á¡°ËÀ» Ãë¼ÒÇÏ¸é º» > ¼ºñ½ºÀÇ Ã³À½ ȸéÀ¸·Î µ¹¾Æ°¡°Ô µË´Ï´Ù.
To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually.
It is also impossible to remotely check by sending a packet or ping if a machine is sniffing.
Sniffers are largely passive applications and generate nothing. In other words, they leave no trace on the system.
One way to detect a sniffer is to search all current processes being run. This isn't entirely reliable, of course, but you can at least determine whether a process is being run from your machine.
Some utilities can identify whether your system has been thrown into promiscuous mode. These can at least detect whether a running sniffer would even work under your current configuration. Nitwit.c is one such utility.
For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a command"ifconfig -a"that will tell you information about all the interfaces and if they are in promiscuous mode.
There are several packages out there that allow encryption between connections therefore an intruder could capture the data, but could not decypher it to make any use of it.
A product called Secure Shell, or SSH is one of them. SSH is a protocol that provides secure communications in an application environment such as Telnet.
One-time password such as S/Key might be used to protect passwords.
Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T.
The generally accepted way to defeat sniffer attacks is to employ safe topology. Here are the rules: