You’re sitting at your desk, surfing the Web for business-related sports scores when you notice the network becoming sluggish. Then it dies altogether. A few minutes
later, it’s up again. What just happened? Looking over at the network rack, you can’t help but admire the Christmas decorations. Wait—it’s June! Those aren’t decorations,
those are red warning lights flashing next to the green happy lights. Clearly, something has gone wrong, but what is it?
Nine times out of 10, the cause of this type of problem gets traced back to a single malfunctioning computer or a single software failure simultaneously plaguing a number of systems. How can you identify the culprit? Looking at flashing lights isn’t going to tell you much. What you need to see is the actual data traffic moving around your network. Network data capture and analysis tools, also known as sniffers, are
designed to help.
The most basic network sniffing tools simply capture all of the data on the network and store it to a file for later analysis. Most will also summarize the network traffic in a human readable format and can display the summary in real-time.
More advanced tools can break down the traffic by factors such as the type of application generating the data and the source or destination system. These tools might provide graphic visualization and may also be capable of identifying malicious traffic patterns. Some can even interpret the application data itself, extracting application specific information such as commands and login information. In the case of web traffic, this could include web addresses, usernames, and passwords.
Network sniffing devices can also be used to detect intruders. Unfamiliar network traffic can indicate the presence of intruder activity or an active backdoor on a system. For this reason, sniffing devices are a critical part of many intrusion detection systems.
This capability for data analysis sounds like it would be incredibly useful to hackers. It is. A major hacking goal is to control or establish a sniffing device on a network. This provides a continuous feed of critical information, such as captured passwords, confidential files and email messages, and so on.
Sniffing devices leave hackers in a quandary. Sniffers are great hacking tools, but are also great intrusion detection tools. If a sniffer is on the network, a network administrator has a good chance at detecting the hacker.
Always a step ahead of the cat, the mousy hackers created the anti-sniffer. This is a program that can detect the presence of sniffing devices on a network. If a sniffer exists, it’s either part of an Intrusion Detection System (IDS) or something that was installed by a previous hacker. A hacker can use evasive techniques to invade the network without being detected if a sniffer is being used. If no IDS is present, the hacker can brashly overrun the network defenses, raping and pillaging systems along the way with impunity.
Anti-sniffers do provide benefits to the network administrator. An anti-sniffer can be used to detect the presence of unauthorized sniffing devices on the network. The presence of such a device would be a good indication that the network had been hacked. Of course, hackers might also design an antisniffer detector, which would prompt network administrators to develop an antisniffer detector-detector. The good news is that this sort of one-upmanship seems to have ceased at the anti-sniffer level.
The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.
Below, you'll find links to online resources that supplement this portion of the book.