Detect Ethernet Sniffers Remotely

Detect potential spies on your network without having to trust compromised machines.

Ethernet sniffers are one of the most powerful tools in your network security arsenal. However, in the wrong hands they can be one of the biggest threats to the security of your network. It may be an insider or it could be a malicious intruder, but, nevertheless, once a system has been detected they will most likely begin sniffing the local network. This network reconnaissance will help these “spies” find their next target, or simply collect juicy bits of information (such as usernames and passwords, email, or other sensitive data).

Not too long ago, it was commonly thought that only shared-medium Ethernet networks were vulnerable to being sniffed. These networks employed a central hub, which would rebroadcast every transmitted packet to each port on the hub. In this type of setup, every frame sent by any network node is received by every other node on the local network segment. Each node’s network interface then performs a quick check to see if it is the node that the frame is destined for. If it is not, the frame is discarded. If it is, the frame is passed up through the operating system’s protocol stack and is eventually processed by an application. Because of this, sniffing other systems’ traffic on the network was trivial. After all, since all the traffic was reaching each system, one only needed to disable the check that the network interface performs, and ...

Get Network Security Hacks now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.