How can I detect a protocol analyzer?

The article "How can I detect a protocol analyzer" is extracted by Jason Lee from www.Colasoft.com for knowledge sharing. For complete copy on this topic, please visit Sniffing (network wiretap, sniffer) FAQ.

In theory, it is impossible to detect packet sniffing programs because they are passive: they only collect packets, they don't transmit anything. However, in practice it is sometimes possible to detect sniffing programs. It is similar to how in theory it is impossible to detect radio/TV receivers, but European countries do it all the time in order to catch people avoiding the radio/TV tax.

A stand-alone protocol analyzer doesn't transmit any packets, but when installed non-standalone on a normal computer, the sniffing program will often generate traffic. For example, it might send out DNS reverse lookups in order to find names associated with IP addresses.

Non-standalone protocol analyzers are indeed what you want to detect. When crackers/hackers invade machines, they often install sniffing programs. You want to be able to detect this happening.

General Overview of Detection Method

Ping method


Most "protocol analyzers" run on normal machines with a normal TCP/IP stack. This means that if you send a request to these machines, they will respond. The trick is to send a request to IP address of the machine, but not to its Ethernet adapter.

To illustrate:

1. The machine suspected of running the protocol analyzer has an IP address 10.0.0.1, and an Ethernet address of 00-40-05-A4-79-32.


2. You are on the same Ethernet segment as the suspect (remember, the Ethernet is used only to communicate locally on a segment, not remotely across the Internet).


3. You change the MAC address slightly, such as 00-40-05-A4-79-33.


4. You transmit an "ICMP Echo Request" (ping) with the IP address and this new MAC address.


5. Remember that NOBODY should see this packet, because as the frame goes down the wire, each Ethernet adapter matches the MAC address with their own MAC address. If none matches, then they ignore the frame.


6. If you see the response, then the suspect wasn't running this "MAC address filter" on the card, and is hence sniffing on the wire.

There are ways defending against this. Now that this technique is widely publicized, newer hackers will enabled a virtual MAC address filter in their code. Many machines (notably Windows) have MAC filtering in drivers. (There is a hack for Windows: most drivers just check the first byte, so a MAC address of FF-00-00-00-00-00 looks like FF-FF-FF-FF-FF-FF (the broadcast address which all adapters accept). However, some adapters implement multicast in such as way that this address will match as a multicast, which is any address whose first byte is an odd number. Thus, this can result in false positives).

This technique will usually work on switched/bridged Ethernets. When switches see an unknown MAC address for the first time, they will "flood" the frame to all segments.

Ping method, part 2

The ping method can be enhanced in a number of ways:

1. Any protocol that generates a response can be used, such as a TCP connection request or a UDP protocol such as port 7 (echo).


2. Any protocol that might generate an error on the target machine might be used. For example, bad IP header values might be used to generate an ICMP error.


3. Sometimes a broadcast address (either a "local broadcast" like 255.255.255.255 or a "directed broadcast" like 10.0.0.255) needs to be used in order to bypass software IP address filtering. This then encounters another problem in that many machines do not respond to broadcast requests (responses to broadcasts causes network problems, such as the 'smurf' hack).

ARP method


The ARP method is similar to the ping method, but an ARP packet is used instead. An explanation (in Spanish) is given at http://www.apostols.org/projectz/neped/ which includes a program called neped to do this detection.

The simplest ARP method transmits an ARP to a non-broadcast address. If a machine responds to such an ARP of its IP address, then it must be in promiscuous mode.

A variation of this technique takes advantage of the fact that machines "cache" ARPs. Each ARP contains the complete information of both the sender as well as the desired target information. In other words, when I send out a single ARP to the broadcast address, I include my own IP-to-Ethernet address mapping. Everyone else on the wire remembers this information for the next few minutes. Therefore, you could do something like sending out a non-broadcast ARP, then a broadcast ping. Anybody who responds to your ping without ARPing you could only have gotten the MAC address from a sniffed ARP frame. (To make double-sure, use a different source MAC address in the ping).

DNS method


Many sniffing programs do automatic reverse-DNS lookups on the IP addresses they see. Therefore, a promiscuous mode can be detected by watching for the DNS traffic that it generates.

This method can detect dual-homed machines and can work remotely. You need to monitor incoming inverse-DNS lookups on the DNS server in your organization. Simply do a ping sweep throughout the company against machines that are known not to exist. Anybody doing reverse DNS lookups on those addresses are attempting to lookup the IP addresses seen in ARP packets, which only sniffing programs do.

This same technique works locally. Configure the detector in promiscuous mode itself, then send out IP datagrams to bad addresses and watch for the DNS lookups.

One interesting issue with this technique is that hacker-based sniffing programs tend to resolve IP addresses as soon as they are found, whereas commercial programs tend to delay resolution until the point where the protocol analyzer user views the protocol decodes.

Source-route method


Another technique involves configuring the source-route information inside the IP header. This can be used to detect protocol analyzers on other, nearby segments.

1. Create a ping packet, but put a loose-source route to force it by another machine on the same segment. This machine should have routing disabled, so that it will not in fact forward it to the target.


2. If you get a response, then it is likely the target sniffed the packet off the wire.


3. In the response, doublecheck the TTL field to find out if it' came back due to sniffing (rather than being routed correctly)

Details:

In loose source-routing, an option is added to the IP header. Routers will ignore the destination IP address and instead forward to the next IP address in the source-route option. This means when you send the packet, you can say "please send packet to Bob, but route it through Anne first".

In this scenario, both "Anne" and "Bob" are on the segment. Anne does not route, and therefore will drop the packet when received. Therefore, "Bob" will only respond if he has sniffed the packet from the wire.

On the off chance that Anne does indeed route (in which case Bob will respond), then the TTL field can be used to verify that Bob responded from routing through Anne, or answering directly.

The decoy method


Whereas the ping and ARP methods only work on the local network, the decoy method works everywhere.

Since so many protocols allow "plain text" passwords, and hackers run sifters looking for those passwords, the decoy method simply satisfies that need. It consists simply of setting up a client and a serve on either side of the network, which the client runs a script to logon to the server using Telnet, POP, IMAP, or some other plain-text protocol. The server is configured with special accounts that have no real rights, or the server is completely virtual (in which case, the accounts don't really exist).

Once a hacker sifts the usernames/passwords from the wire, he/she will then attempt to log on using this information. Standard intrusion detection systems or audit trails can be configured to log this occurance, alerting the fact that a sniffing hacker has found the traffic and attempted to use the information.

http://www.zurich.ibm.com/~dac/Prog_RAID98/Full_Papers/sniffer_detector.html/index.htm

Host method


When hackers break into your systems, they will often leave behind wiretap programs running in the background in order to sniff passwords and user accounts off the wire. These are often imbedded (as a trojan) in other programs, so the only way to find if something like this is running is to query the interfaces to see if they are running in promiscuous mode.

The most technique is to run the program "ifconfig -a". On my computer (Solaris 2.6) the output looks like:

# ifconfig -a

lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232

inet 127.0.0.1 netmask ff000000

hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500

inet 192.0.2.99 netmask ffffff00 broadcast 192.0.2.255

ether 8:0:20:9c:a2:98



Of course, the first thing a hacker will do is replace the 'ifconfig' program to hide this. There are other utilities you can download from the net that will query the hardware directly in order to discover this information, or you could run the 'ifconfig' program directly from a CD-ROM distribution.

Latency method


This is a more evil method. On one hand, it can significantly degrade network performance. On the other hand, it can 'blind' protocol analyzers by sending too much traffic.

This method functions by sending huge quantities of network traffic on the wire. This has no effect on non-promiscuous machines, but has a huge effect on sniffing machines, especially those parsing application layer protocols for passwords. Simply ping the machine before the load and during the load and testing the difference in response time can indicate if the machine is under load.

One problem with this technique is that packets can be delayed simply because of the load on the wire, which may case timeouts and therefore false positives. On the other hand, many sniffing programs are "user mode" whereas pings are responded to in "kernel mode", and are therefore independent of CPU load on a machine, thereby causing false negatives.

TDR (Time-Domain Reflectometers)


A TDR is basically RADAR for the wire. It sends a pulse down the wire, then graphs the reflections that come back. An expert can look at the graph of the response and figure out if any devices are attached to the wire that shouldn't be. They also roughly tell where, in terms of distance along the wire, the tap is located.

This can detect hardware protocol analyzers that might be attached to the wire, but which are completely silent otherwise.

TDRs used to be used a lot in the old days of coax Ethernet in order to detect vampire taps, but these days with star topologies, they are used very rarely.

There also exist OTDR equipment, but this is really only for the truely paranoid.

Hub lights


You can manually check hub-lights to see if there are any connections you don't expect. It helps to have labeled cables to figure out where (physically) a protocol analyzer might be located.

SNMP monitoring


Smart hubs with SNMP management can provide automated monitroning of Ethernet (and other) hubs. Some management consoles will even let you log connections/disconnections to all your ports. If you've configured the system with the information where all the cables terminate, you can sometimes track down where a protocol analyzer might be hiding.

Ten Reasons Make protocol analyzers an Essential Network Tools

No matter whether you are network administrators or IT managers, you should not be unfamiliar to the network analysis tool - protocol analzyer, also known as a network analyzer, protocol analyzer or sniffer) which has been widely used by kinds of organizations, schools, enterprises, government institutions etc.

Maybe you are yet supirsed at why more and more enterprises, like IBM, Intel, Epson, Airbus, Ericsson etc, love to deploy protocol analzyer to their company’s network? OK, take a fresh coffee now, then look at the following problems, and ask yourself, as a network administrator or IT manager, if these issues are just what you have met?

Rushing from one network problem to another every day?

Have no way to judge if your network has been intruded?

Helpless collecting convincing information to submit your boss even if you have realized that your network system has been intruded.

No idea if current network usage is equal to actual need?

Know nothing of how many staffs are not killing their time by chatting with friends, browsing irrelevant webpage etc, but focusing on their job?

Yes, every question listed above has puzzled many network administrators, but no worry, protocol analzyer can easily help you out with its strong functions, here are ten reasons make protocol analzyers an essential network tools.

* Analyze network problems
* Detect network intrusion attempts
* Gain information for effecting a network intrusion
* Monitor network usage
* Gather and report network statistics
* Filter suspect content from network traffic
* Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)
* Reverse engineer proprietary protocols used over the network
* Debug client/server communications
* Debug network protocol implementations

Currently, there are dozens of protocol analzyers in the market, some are very complex to use like wireshark, you must be versed in networking,; some are designed for common network administrators, such as Colasoft Network Analyzer, all- in-one & easy –to use, which are more and more accepted and welcome.

Top 5 Most Welcomed Protocol Analyzers

According to the latest statistic from famous download sites regarding to downloads of protocol analyzer softwares, the following products are very honored to be listed as top 5 most welcome protocol analyzers by network engineers, IT managers, and network administrators etc.

#1 Wireshark- A Free Open Source Network Sniffer for Top Network Engineers

Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

#2 Colasoft Capsa - All-In-One & Easy-To-Use Network Analyzer and protocol analyzers Available For Most Network Administrators.

Colasoft Network Analyzer - Capsa performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It allows you to get a clear view of the complex network, conduct packet level analysis, and troubleshoot network problems.

Whether you're a network administrator who needs to identify, diagnose, and solve network problems, a company manager who wants to monitor user activities on the network and ensure that the corporation's communications assets are safe, or a consultant who has to quickly solve network problems for clients, Capsa is the tool you need.

#3 Tcpdump: The Classic Sniffer For Network Monitoring And Data Acquisition

Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

#4 Etherdetect : Connection-Oriented Packet Sniffer And Protocol Analyzer

EtherDetect protocol analyzer is an easy for use and award-winning protocol analyzer and network protocol analyzer, which provides a connection-oriented view for analyzing packets more effectively. With the handy tool, all you need to do is to set up the filter, start capturing, and view connections, packets as well as data on the fly.

#5 Ettercap : In Case You Still Thought Switched Lans Provide Much Extra Security

Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

How to Find MAC Address with Colasoft MAC Scanner and More

In computer networking, a Media Access Control address (MAC address) is a unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification, and used in the Media Access Control protocol sublayer. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number. It may also be known as an Ethernet Hardware Address (EHA), hardware address, adapter address, or physical address.

Since a MAC Address is unique for most network adapters or network interface cards (NICs), it is important for IT administrators to know all the MAC addresses in LAN so as to quickly locate a network device when a network issue arises. Luckily we have tools to help us out. Let’s see how we can easily find MAC address in LAN with Colasoft MAC Scanner.

Colasoft MAC Scanner is a Free software to find MAC address and IP address. It can automatically detect all subnets according to the IP addresses configured on multiple NICs of a machine and find MAC addresses and IP addresses of defined subnets as your need. Users can custom own scan process by specifying the subsequent threads.

Step 1. Download Colasoft MAC Scanner

Step2. Install Colasoft MAC Scanner

The installation of Colasoft MAC Scanner is quick and easy, it is suggested to install Colasoft MAC Scanner on a laptop as it only scans and finds MAC addresses and IP addresses in the subnet to which the laptop is connected.

Step3. Start a Scan

It’s easy and quick, just press the start button, the Colasoft MAC Scanner will scan and find MAC addresses and IP addresses in the subnet and list them out. The results can be “copy and paste” or exported for future reference.

Now the problem is: if a LAN is divided into several subnets, we’ll have to move the laptop around and scan each subnet in order to find all MAC addresses and IP addresses. Then what’s the solution?

Find MAC Address and IP Address with Colasoft protocol analyzer

Colasoft protocol analyzer allows us to find MAC addresses and IP addresses both local and remote in the network as long as there is network communication initiated.

>>>>Download Colasoft protocol analyzer Now

Find Out the Top Network Administrator Tools

Packet Sniffers / Network Protocol Analyzer

With packet sniffers and network protocol analyzers, you can monitor network activity, analyze network performance, enhance network security, and troubleshoot network issues.

1, Colasoft packet sniffer - Capsa http://www.colasoft.com/ Colasoft Capsa performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It allows you to get a clear view of the complex network, conduct packet level analysis, and troubleshoot network problems.

2, Ethereal – http://www.ethereal.com/

3, EtterCap – http://ettercap.sourceforge.net/

4, Snort – http://www.snort.org/

5, WinDump / TCPDump - http://www.tcpdump.org/wpcap.html/

6, DSniff – http://naughty.monkey.org/~dugsong/dsniff/

Scanning Tools 1, Nmap – http://www.nmap.org/ Nmap is a port scanner. A port scanner scans for open ports, such as 80 (http) or 25 (SMTP)

2, Sam Spade – www.samspade.org/ Sam Spade is a multi network query tool with many extra built in utilities, even a tool for spam. It includes utilities such as ping, whois, traceroute, and finger 3, NetScanTools Pro ($199) –http://www.netscantools.com/nstmain.html NetScanTools Pro Edition is an integrated collection of internet information gathering utilities for Windows Vista/2008/2003/XP/2000. Use it to research IP addresses, hostnames, domain names, email addresses, URLs automatically** or with manual tools. 4, SuperScan – http://www.foundstone.com/ SuperScan has the primary purpose of scanning an IP range. It supports extremely fast Host Discovery lookups as well as TCP and UDP port scans thanks to its multi-threaded and asynchronous techniques.

UserManagement - http://www.tools4ever.com/ Complete user account management featuring advanced user creation, modification, removal, mass creation/removal and delegation of administrative tasks. The UserManagemeNT Suite consists of three modules, Professional, Import and Delegation. These modules can operate independently or seamlessly integrated with each other.

AdminMagic - http://www.tools4ever.com/ Full control: Using AdminMagic, you can take over and control users' desktops from your own workstation. Featuring complete mouse and keyboard emulation, you can execute programs, login/logoff, modify device drivers and reboot all from a central location. You can also take screenshots of remote desktops and store/print them for later use. Remote users will not be interrupted and can continue working as they always do. Advanced System Optimizer - http://www.systweak.com/ Advanced System Optimizer is a system tweaking suite that includes around 30 tools to improve and tweak your PC's performance. It offers an attractive and easy to use interface that organizes all tasks into categories and provides graphical statistics whenever possible. The tools include junk file cleaner, memory optimizer, system information, system files backup, file encryption, safe uninstaller, duplicate file finder, taskbar manager and much more. Advanced System Optimizer also includes an Internet tracks eraser with cookie manager and secure deletion, and even a desktop sticky notes application. Overall, a great bundle that offers a wide range of system tools with extra benefits that are hardly ever found.

Monitor Your Network Traffic with Colasoft protocol analyzer

Importance of network monitoring

Reading network traffic is essential for system administrators, network engineers, and security analysts. At some point there will be a need to read the network traffic directly instead of monitoring application level details. Examples of situations that might require monitoring network traffic are, auditing network security, debugging network configurations, and analyzing usage patterns. For this task we use network monitoring software, or protocol analyzers, that sniff the traffic your computer is able to see on the network. What exactly your computer can see really depends on how the network is laid out, but the easiest way to figure out what it can see is just start sniffing.

The most common tool to do the job is readily available. One of the most popular and easy – to - use tool for monitoring network traffic is Colasoft protocol analyzer.

How to Monitor Network Traffic

As a protocol analyzer, Capsa make it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network traffic monitor feature, we can quickly identify network bottleneck and detect network abnormities. This article is to discuss how we can monitor network traffic with Capsa's network traffic monitor feature.

1,Monitor network traffic in "Summary" tab

"Summary" is a view that provides general information of the entire network or the selected node in the "Explorer". In "Summary" we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node from the explorer, corresponding traffic information will be provided.

(pic 1. monitor-network-traffic-in-summary)

2,Monitor network traffic in "Endpoints" tab

In "Endpoints" view, we can monitor network traffic information of each node, both local and remote. With its easy sorting feature we can easily find out which host is generating or has generated the largest traffic.

(pic 2. monitor-network-traffic-in-endpoints)

3,Monitor network traffic in "Protocols" tab

"Protocols" view will list all protocols applied in network transmission. In "Protocols" view we can monitor network traffic by each protocol. By analyzing network traffic by protocol, we can understand what applications are using the network bandwidth, for example "http" protocol stands for website browsing, "pop3" stands for email, etc.

(pic 3. monitor-network-traffic-by-protocol)

4,Monitor network traffic in "Conversations" tab

In "Conversations" tab we can monitor network traffic by each conversation and the figure out which conversation has generated the largest network traffic.

(pic 4. monitor-network-traffic-by-conversation)

5,Monitor network traffic in "Matrix" tab

"Matrix" is a view that visualizes all network connections and traffic details in one single graph. The weight of the lines between the nodes indicates the traffic volume and the color indicates the status. As we move the cursor on a specific node, network traffic details of the node will be provided.

(pic 5. monitor-network-traffic-in-Matrix)

6,Monitor network traffic in "Graphs" tab

If we want to get a trend chart of the network traffic, then we need to use the "Graphs" tab. "Graphs" view allows us view network statistics dynamically in different chart types, such as ling chart, bar chart, and pie chart. By selecting "Utilization" we get a real-time traffic trend chart.

(pic 6. monitor-network-traffic-in-graphs)

As we can see, with Capsa we can not only monitor network traffic in convenience, but also analyze network traffic in deferent levels, thus enables us quickly and efficiently detect network abnormities and troubleshoot network problems.

Kismet, an 802.11 Layer2 Wireless Network Detector and protocol analyzer

What is Kismet

Kismet is an 802.11 layer2 wireless network detector, protocol analyzer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, 802.11n, and 802.11g traffic (devices and drivers permitting). Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of non-beaconing networks via data traffic.

Feature Overview

Kismet has many features useful in different situations for monitoring wireless networks:

- Ethereal/Tcpdump compatible data logging
- Airsnort compatible weak-iv packet logging
- Network IP range detection
- Built-in channel hopping and multicard split channel hopping
- Hidden network SSID decloaking
- Graphical mapping of networks
- Client/Server architecture allows multiple clients to view a single Kismet server simultaneously
- Manufacturer and model identification of access points and clients
- Detection of known default access point configurations
- Runtime decoding of WEP packets for known networks
- Named pipe output for integration with other tools, such as a layer3 IDS like Snort
- Multiplexing of multiple simultaneous capture sources on a single Kismet instance
- Distributed remote drone sniffing
- XML output

Typical Uses

Common applications Kismet is useful for:

- Wardriving: Mobile detection of wireless networks, logging and mapping of network location, WEP, etc.
- Site survey: Monitoring and graphing signal strength and location.
- Distributed IDS: Multiple Remote Drone sniffers distributed throughout an installation monitored by a single server, possibly combined with a layer3 IDS like Snort.
- Rogue AP Detection: Stationary or mobile sniffers to enforce site policy against rogue access points.

Download

Kismet can be downloaded here