230 Chapter 9 ■ Sniffers
Detecting Sniffing Attacks
Aside from pure defensive tactics, it is possible to be proactive and use detection techniques
designed to locate any attempts to sniff and shut them down. These methods include:
■ Look for systems running network cards in promiscuous mode. Under normal circum-
stances there is little reason for a network card to be in promiscuous mode and as such
all cards running in this mode should be investigated.
■ Run an NIDS to detect telltale signs of sniffing and track it down.
■ Tools such as HP’s Performance Insight can provide a way to view the network and
identify strange traffic.Exam Essentials
Know the purpose of sniffing. Sniffing is a technique used to gather information as it
flows across the network. Sniffing can be performed using software-based systems or
through the use of hardware devices known as protocol analyzers.Understand your targets. For each target, know what type of information you are looking
for—passwords, data, or something else.Know what makes sniffing possible. Sniffing is possible due to traffic being sent in the
clear as well as access to the network. Also, having the ability to switch a network card into
promiscuous mode allows you to view all traffic on the network as it flows by.Know your defenses. Know that techniques such as encryption, IPSec, SSL, SSH, and
VPNs can provide effective countermeasures against sniffing.Summary
This chapter covered what a sniffer is and how it works. You learned about two common
sniffing utilities, Wireshark and TCPdump. You saw the importance of Wireshark search
strings for real-world filtering and exam preparation. This chapter briefly touched on
CLI commands for Wireshark that allow similar functionality to that of the GUI version.
You also captured some packets with both Wireshark and TCPdump, and learned how
to dissect and analyze those packets by taking advantage of Wireshark’s robust detailed
interface. You explored some basic techniques to overcome a switched network’s inherent
sniffing limitations, and reviewed defensive actions that you can take to protect your
networks from sniffing and subsequent attacks.