Detection of Sniffers in an Ethernet Network

Trabelsi, Zouheir; Rahmani, Hamza

doi:10.1007/978-3-540-30144-8_15

Zouheir Trabelsi¹⁸ &
Hamza Rahmani¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3225))

Included in the following conference series:

International Conference on Information Security

977 Accesses
4 Citations

Abstract

On a local network, security is always taken into consideration. When plain text data is being sent onto the network, it can be easily stolen by any network user. Stealing data from the network is called sniffing. By sniffing the network, a user can gain access into confidential documents and cause intrusion into anyone’s privacy. Many 0freely distributed software on the Internet provides this functionality. Despite the easiness of sniffing, sniffers are usually difficult to detect, since they do not interfere with the network traffic at all. System administrators are facing difficulties to detect and deal with this type of attack. Several antisniffers programs can be used to detect sniffers. However, sniffers are becoming very advanced so that current antisniffers are unable to detect them.

This paper explains a new technique used by SupCom AntiSniffer, a tool that can effectively scan sniffers on an Ethernet network. The proposed technique uses three phases to detect the sniffing hosts in an Ethernet network. In the first phase, the ARP caches of the sniffing hosts are corrupted. In the second phase, TCP SYN request connections packets are sent to each host in the network using fake IP and MAC source addresses. Finally, by analyzing the responses of the hosts, all hosts running sniffers are detected. Four anti-sniffers, PMD [18], PromiScan [17], L0pht AntiSniff [19] and SupCom anti-sniffer, are tested and the evaluation results show that SupCom AntiSniffer succeeded to detect more sniffing hosts than the other antisniffers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic

$34.99 /Month

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Buy Now

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Sniffit: A Packet Sniffing Tool Using Wireshark

Moving Target Defense Against Network Reconnaissance with Software Defined Networking

Experimental and Comparative Analysis of Packet Sniffing Tools

References

Freedman, Pisani, Purves, Adhikari: Statistics, 2nd edn. W.W. Norton & Company, Inc.,New York (1991)
Google Scholar
Grundshober, S.: Sniffer Detector Report., Global Security Analysis Lab. Zurich Research Laboratory, IBM Research Division (June 1998)
Google Scholar
Hornig, C.: A Standard for the Transmission of IP Datagrams over Ethernet Networks, RFC-894, Symbolics Cambridge Research Center (April 1984)
Google Scholar
Jacobson, V., Leres, C., Mc-Canne, S.: The Tcpdump Manual Page. Lawrence Berkley Laboratory
Google Scholar
Postel, J.: Internet Protocol. RFC-791, USC/Information Science Institute (September 1981)
Google Scholar
Postel, J.:Transmission Control Protocol . RFC-793, USC/Information Science Institute,September (1981)
Google Scholar
Postel, J.:Internet Control Message Protocol . RFC-792, USC/Information Science Institute (September 1981)
Google Scholar
Stevens, R.: TCP/IP Illustrated,vol. 1 (2001)
Google Scholar
Security Software Inc.: Antisniff, Technical Report (2000), http://www.securitysoftwaretech.com
Grundschober, S.: Sniffer Detector Report., Diploma Thesis, IBM Research Division, Zurich Research Laboratory, Global Security Analysis Lab. (June 1998)
Google Scholar
Drury, J.: Sniffers: What are they and how to protect from them. November 11 (2000), http://www.sans.org/
Wu, D., Wong, F.: Remote Sniffer Detection. Computer Science Division, University of California, Berkeley. December 14 (1998)
Google Scholar
Sanai, D.: Detection of Promiscuous Nodes Using ARP Packets, http://www.securityfriday.com/
Nmap Tools, http://securityfocus.com
Zouheir, T., et al.: Malicious Sniffing Systems Detection Platform. In: The IEEE/IPSJ 2004 International Symposium on Applications and the Internet (SAINT2004), Tokyo, Japan, January 26-30 (2004)
Google Scholar
PromiScan anti-sniffer: http://www.securityfriday.com
PMD (Promiscuous Mode Detector): http://webteca.port5.com
L0pht AntiSniff: http://www.l0pht.com/antisniff/

Download references

Author information

Authors and Affiliations

Cité Technologique des Communications, The University of Tunisia The College of Telecommunications (SupCom), Route de Raoued Km 3,5, 2083, El Ghazala, Ariana, Tunisia
Zouheir Trabelsi & Hamza Rahmani

Authors

Zouheir Trabelsi
View author publications
You can also search for this author in PubMed Google Scholar
Hamza Rahmani
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Institute of psychology, Chinese Academy of Sciences, 100101, Beijing, P.R. China
Kan Zhang
Department of Software & Information Systems, The University of North Carolina at Charlotte, 9201 University City Blvd, 28223-0001, Charlotte, NC, USA
Yuliang Zheng

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Trabelsi, Z., Rahmani, H. (2004). Detection of Sniffers in an Ethernet Network. In: Zhang, K., Zheng, Y. (eds) Information Security. ISC 2004. Lecture Notes in Computer Science, vol 3225. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30144-8_15

Download citation

DOI: https://doi.org/10.1007/978-3-540-30144-8_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23208-7
Online ISBN: 978-3-540-30144-8
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics