Sniffing • Chapter 10 377
TCPDump can be obtained from www.tcpdump.org. Many modifications
have been made to TCPDump in recent years to add support for a wide range of
additional protocols.
dsniff
dsniff is a sniffing toolkit provided by Dug Song. dsniff is available on his Web site
at www.monkey.org/~dugsong/dsniff, or at a number of mirrors sites.
dsniff is most famous for its authentication (usernames, passwords) sniffing capa-
bilities.The current version of dsniff will decode authentication information for the
following protocols:AOL Instant Messenger, Citrix Winframe, Concurrent Versions
System (CVS), FTP, HTTP, ICQ, IMAP, Internet Relay Chat (IRC), Lightweight
Directory Access Protocol (LDAP), RPC mount requests, Napster, NNTP, Oracle
SQL*Net, Open Shortest Path First (OSPF), PC Anywhere, POP, PostgreSQL,
Routing Information Protocol (RIP), Remote Login (rlogin),Windows NT
plaintext (SMB), Network Associates Sniffer Pro (remote), Simple Network
Management Protocol (SNMP), Socks,Telnet, X11, and RPC yppasswd.
www.syngress.com
dsniff Used against the Author
The following sample output from dsniff was captured by Dug Song,
who successfully captured my password at the CanSecWest 2001 secu-
rity conference. It happened because Outlook automatically checks POP3
servers, even when you just open it to grab someone’s contact informa-
tion. I quickly changed the password, just in time—the remainder of
dsniff output captures somebody else attempting to log on with that
password, presumably another person using dsniff who had captured
the password.

03/28/01 18:43:24 tcp 192.168.1.201.1035 ->
216.136.173.10.110 (pop)
USER robert_david_graham
PASS Cerveza2

Notes from the Underground…
Continued
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 377
378 Chapter 10 • Sniffing
www.syngress.com

03/29/01 02:07:41 tcp 192.168.1.243.1837 ->
216.136.173.10.110 (pop)
USER robert_david_graham
PASS Cerveza2

03/29/01 02:07:08 tcp 192.168.1.243.1836 ->
64.58.76.98.80 (http)
POST /config/login?84gteu3f1fmvt HTTP/1.0
Host: login.yahoo.com
Content-type: application/x-www-form-urlencoded
Content-length: 147
.tries=1&.src=ym&.last=&promo=&.intl=us&.bypass=&.partner=&.u=86
3imictc5nnu&.v=0&hasMsgr=0&.chkP=Y&.done=&login=robert
_david_graham&passwd=Cerveza2

03/29/01 02:06:48 tcp 192.168.1.243.1835 ->
64.58.76.98.80 (http)
POST /config/login?15aeb5g14endr HTTP/1.0
Host: login.yahoo.com
Content-type: application/x-www-form-urlencoded
Content-length: 146
.tries=&.src=ym&.last=&promo=&.intl=us&.bypass=&.partner=&.u=863
imictc5nnu&.v=0&hasMsgr=0&.chkP=Y&.done=&login=robert
_david_graham&passwd=Cerveza2


03/31/01 17:07:38 tcp 192.168.1.243.1307 ->
216.136.173.10.110 (pop)
USER robert_david_graham
PASS Cerveza2
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 378
Sniffing • Chapter 10 379
With today’s switched networks and encrypted protocols, password sniffing
doesn’t always work as well as we might hope. dsniff contains several redirect and
man-in-the-middle (MITM) utilities to redirect the flow of traffic and decrypt
sessions.
The first utility is arpspoof (formerly known as arpredirect).Address Resolution
Protocol (ARP) is used by hosts to find the local router’s Media Access Control
(MAC) address. By spoofing ARP packets, you can convince other nearby com-
puters that you are the router.Your machine has to forward them onto the legiti-
mate router after receiving them, but in the meantime, the dsniff password sniffer
has a chance to process the packets.This runs well not only on local switched
networks, but also cable-modem networks.This tool isn’t completely foolproof;
you are essentially fighting with the router, trying to convince other machines of
the local MAC address.As a result, traffic flows through your machine are some-
times intermittent.This technique is easily detected by network-based intrusion
detection systems (IDSs). Even the Sniffer Pro (mentioned earlier) has an expert
diagnostic mode that will flag these as “duplicate IP addresses” (i.e., multiple
machines claiming to have the IP address of the router).
The dnsspoof utility is another way of redirecting traffic. In this case, it spoofs
responses from the local Domain Name System (DNS) server.When you go a
Web site such as , your machine sends out a request to
your local DNS server asking for the IP address of www.example.com.This usually
takes a while to resolve; dnsspoof quickly sends its own response faster.The
victim will take the first response and ignore the second one.The spoofed

response will contain a different IP address than the legitimate response, usually
the IP address of the attacker’s machine.The attacker will likely be using one of
the other dsniff man-in-the-middle utilities.
The name man-in-the-middle comes from cryptography and describes the situ-
ation when somebody intercepts communications, alters it, and then forwards it.
The dsniff utilities for these attacks are webmitm for HTTP traffic (including SSL)
and sshmitm (for SSH). Normally, SSH and SSL are thought to be secure,
encrypted protocols that cannot be sniffed.The way the MITM utilities work is
that they present their own encryption keys to the SSL/SSH clients.This allows
them to decrypt the traffic, sniff passwords, and then reencrypt with the original
server keys. In theory, you can protect yourself against this by checking the
validity of the server certificate, but in practice, nobody does this.
dsniff can sniff not only passwords, but also other cleartext traffic.The mail-
snarf utility sniffs e-mails like the FBI’s Carnivore, except it reassembles them into
an mbox format that can be read by most mail readers.The msgsnarf utility sniffs
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 379
380 Chapter 10 • Sniffing
messages from ICQ, IRC,Yahoo! Messenger, and AOL IM.The filesnarf utility
sniffs files transferred via NFS (a popular fileserver protocol used on UNIX sys-
tems).The urlsnarf utility saves all the URLs it sees going across the wire.The
webspy utility sends those URLs to a Netscape Web browser in real time—essen-
tially allowing you to watch in real time what the victim sees on their Web
browser.
The macof utility sends out a flood of MAC addresses.This is intended as
another way of attacking Ethernet switches. Most switches have limited tables
that can hold only 4000 MAC addresses.This is more than enough for normal
networks—you would need 4000 machines attached to the switch before over-
loading these tables.When the switch overloads, it “fails open” and starts repeating
every packet out every port, allowing everyone’s traffic to be sniffed.

The tcpkill utility kills TCP connections. It can be used as a denial of service
(DoS) attack. For example, you can configure it to kill every TCP connection
your neighbor makes. It can also be integrated with tools like network-based
IDSs to kill connections from hackers.The tcpnice utility is similar to tcpkill, but
rather than killing connections, it slows them down. For example, you could
spoof ICMP Source Quenches from your neighbor’s cable modems so that you
can get a higher percentage of the bandwidth for your downloads.
Ettercap
Ettercap is a package similar to dsniff. It has many of the same capabilities, such as
man-in-the-middle attacks against SSL and SSH and password sniffing. It also has
additional features for man-in-the-middle attacks against normal TCP connec-
tions, such as inserting commands into the stream. Ettercap is written by Alberto
Ornaghi and Marco Valleri and is available on the Web at rce-
forge.net.
Esniff.c
Esniff.c is probably one of the first sniffers that surfaced within the hacker under-
ground.Written by a hacker named rokstar, it functioned only on Sun
Microsystems’ SunOS (now outdated) operating systems. Esniff.c supports the
Telnet, FTP, and rlogin protocols. It provides basic functionality and does not
support a comprehensive list of protocols as those found in newer sniffers such as
dsniff and sniffit.This sniffer was first publicly published in Phrack magazine,
which can be obtained from www.phrack.org/show.php?p=45&a=5.
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 380
Sniffing • Chapter 10 381
Sniffit
Sniffit is another sniffer that has been around for several years. It is available for
several operating systems, including Linux, Solaris, SunOS, Irix, and FreeBSD.
Sniffit has not been updated in a few years, but I have found it to be quite stable
(even though the last release was classified as a beta). Brecht Claerhout, the

author of Sniffit, has two versions available on his Web site: 0.3.5 (released in
April 1997) and 0.3.7.beta (released in July 1998). I have had no problems com-
piling and using 0.3.7.beta, but if you encounter problems with 0.3.7.beta, then
you can still fall back and use 0.3.5. Brecht’s Web site is located at
/>One of the reasons I like (and use) Sniffit so much is that you can easily con-
figure it to log only certain traffic, such as FTP and Telnet.This type of filtering is
not unusual; it is available in other sniffers such as Sniffer Pro and NetMon. But
when was the last time you saw either one of those sniffers covertly placed on a
compromised system? Sniffit is small and easily configured to capture (and log)
only traffic that you know carries useful information in the clear, such as user-
names and passwords for certain protocols, as shown in the following example:
[Tue Mar 28 09:46:01 2000] - Sniffit session started.
[Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: USER
[hansen]
[Tue Mar 28 10:27:02 2000] - 10.40.1.6.1332-10.44.50.40.21: PASS
[worksux]
[Tue Mar 28 10:39:42 2000] - 10.40.1.99.1651-10.216.82.5.23: login
[trebor]
[Tue Mar 28 10:39:47 2000] - 10.40.1.99.1651-10.216.82.5.23: password
[goaway]
[Tue Mar 28 11:08:10 2000] - 10.40.2.133.1123-10.60.56.5.23: login
[jaaf]
[Tue Mar 28 11:08:17 2000] - 10.40.2.133.1123-10.60.56.5.23: password
[5g5g5g5]
[Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: USER
[afms]
[Tue Mar 28 12:45:21 2000] - 10.8.16.2.2419-10.157.14.198.21: PASS
[smfasmfa]
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 381

382 Chapter 10 • Sniffing
[Tue Mar 28 14:38:53 2000] - 10.40.1.183.1132-10.22.16.51.23: login
[hohman]
[Tue Mar 28 14:38:58 2000] - 10.40.1.183.1132-10.22.16.51.23: password
[98rabt]
[Tue Mar 28 16:47:14 2000] - 10.40.2.133.1069-10.60.56.5.23: login
[whitt]
[Tue Mar 28 16:47:16 2000] - 10.40.2.133.1067-10.60.56.5.23: password
[9gillion]
[Tue Mar 28 17:13:56 2000] - 10.40.1.237.1177-10.60.56.5.23: login
[douglas]
[Tue Mar 28 17:13:59 2000] - 10.40.1.237.1177-10.60.56.5.23: password
[11satrn5]
[Tue Mar 28 17:49:43 2000] - 10.40.1.216.1947-10.22.16.52.23: login
[demrly]
[Tue Mar 28 17:49:46 2000] - 10.40.1.216.1947-10.22.16.52.23: password
[9sefi9]
[Tue Mar 28 17:53:08 2000] - 10.40.1.216.1948-10.22.16.52.23: login
[demrly]
[Tue Mar 28 17:53:11 2000] - 10.40.1.216.1948-10.22.16.52.23: password
[jesa78]
[Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: USER
[custr2]
[Tue Mar 28 19:32:30 2000] - 10.40.1.6.1039-10.178.110.226.21: PASS
[Alpo2p35]
[Tue Mar 28 20:04:03 2000] - Sniffit session ended.
As you can see, in a just a matter of approximately 10 hours, I have collected
usernames and passwords for nine different users for three FTP sites and five
Telnet locations. One user, demrly, seems to have used the incorrect password
when he or she tried to login to 10.22.16.52 the first time, but I will keep this

password handy because it may be a valid password at some other location.
Carnivore
Carnivore is an Internet wiretap designed by the U.S. Federal Bureau of
Investigation (FBI). It is designed with the special needs of law enforcement in
mind. For example, some court orders might allow a pen-register monitoring of
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 382
Sniffing • Chapter 10 383
just the From/To e-mail addresses, whereas other court orders might allow a full
capture of the e-mail.A summary of Carnivore’s features can be seen within the
configuration program, shown in Figure 10.7.
The features are:
■
Filter sets The settings are saved in configuration files; the user quickly
can change the monitoring by selecting a different filter set.
■
Network adapters A system may have multiple network adapters; only
one can be selected for sniffing at a time.
■
Archive file size A limit can be set on how much data is captured; by
default, it fills up the disk.
■
Total memory usage Network traffic may come in bursts faster than
it can be written to disk; memory is set aside to buffer the incoming
data.
■
Fixed IP address All traffic to/from a range of IP addresses can be fil-
tered. For example, the suspect may have a fixed IP address of 1.2.3.4
assigned to their cable modem.The FBI might get a court order
allowing them to sniff all of the suspect’s traffic.

www.syngress.com
Figure 10.7 Carnivore Configuration Program
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 383
384 Chapter 10 • Sniffing
■
Protocols to capture Typically, a court order will allow only specific
traffic to be monitored, such as SMTP over TCP. In Pen mode, only the
headers are captured.
■
Data text strings This is the Echelon feature that looks for keywords
in traffic.A court order must specify exactly what is to be monitored,
such as an IP address or e-mail account. Such wide-open keyword
searches are illegal in the United States.The FBI initially denied that
Carnivore had this feature.
■
Ports A list of TCP and UDP ports can be specified. For example, if
the FBI has a court order allowing e-mail capture, they might specify
the e-mail ports of 25, 110, and 143.
■
SMTP e-mail addresses A typical scenario is where Carnivore moni-
tors an ISPs e-mail server, discarding all e-mails except those of the sus-
pects.An e-mail session is tracked until the suspect’s e-mail address is
seen, then all the packets that make up the e-mail are captured.
■
Dynamic IP addresses When users dial-up the Internet, they are
logged in via the RADIUS protocol, which then assigns them an IP
address. Normally, the FBI will ask the ISP to reconfigure their
RADIUS servers to always assign the same IP address to the suspect, and
will then monitor all traffic to/from that IP address. (Note: if you are a
dial-up user and suspect the FBI is after you, check to see if your IP

address is the same every time you dial up). Sometimes this isn’t possible.
Carnivore can be configured to monitor the RADIUS protocol and
dynamically discover the new IP address assigned to the suspect.
Monitoring begins when the IP address is assigned, and stops when it is
unassigned.
The FBI developed Carnivore because utilities like dsniff do not meet the
needs of law enforcement.When an e-mail is sent across the wire, it is broken
down into multiple packets.A utility like mailsnarf (described earlier) will
reassemble the e-mail back into its original form.This is bad because the suspect’s
defense attorneys will challenge its accuracy: Did a packet get dropped some-
where in the middle that changes the meaning of the e-mail? Did a packet from
a different e-mail somehow get inserted into the message? By capturing the raw
packets rather than reassembling them, Carnivore maintains the original sequence
numbers, ports, and timestamps.Any missing or extra packets are clearly visible,
allowing the FBI to defend the accuracy of the system.
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 384
Sniffing • Chapter 10 385
Another problem that the FBI faces is minimization of the sniffed data.When
the FBI wiretaps your line, they must assign an agent to listen in. If somebody
else uses your phone (like your spouse or kids), they are required to turn off the
tape recorders. In much the same way, Carnivore is designed to avoid capturing
anything that does not belong to the suspect.A typical example would be using
Carnivore to monitor the activities of a dial-up user. Carnivore contains a
module to monitor the RADIUS traffic that is used by most ISPs to authenticate
the user and assign a dynamic IP address.This allows Carnivore to monitor only
that user without intercepting any other traffic.A sample program containing
many of the features of Carnivore can be found on the Web site for this book
(www.syngress.com/solutions).
Additional Resources

There are some interesting locations that provide a more comprehensive list of
available sniffer programs, some of which are listed here:
■
A list of network monitoring programs available from Underground
Security Systems Research: www.ussrback.com/packetsniffers.htm.
■
A very good and very detailed overview of packet sniffers written by
Robert Graham: www.robertgraham.com/pubs/sniffing-faq.html.
NOTE
A FAQ for Carnivore can be found at www.robertgraham.com/pubs/
carnivore-faq.html.
Advanced Sniffing Techniques
As technology has moved forward, attackers have had to create new methods to
sniff network traffic.The next sections take a look at a couple of methods that
attackers use to get around technology advancements.
Man-in-the-Middle (MITM) Attacks
As we describe later, the most effective defense against sniffing is using encrypted
protocols such as SSL and SSH. However, the latest dsniff and Ettercap packages
contain techniques for fooling encryption.
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 385
386 Chapter 10 • Sniffing
The basic technique is known as a man-in-the-middle (MITM) attack.A
good example of this is in the James Bond movie From Russia with Love. Bond is
supposed to meet another agent in a train station.The evil agent from SPECTRE
contacts the agent first, pretending to be Bond. In this manner, the evil agent gets
the correct passphrase.The evil agent then pretends to be the agent that Bond is
supposed to contact.
The same technique can be applied to encrypted protocols.An attacker sets
up a server that answers requests from clients. For example, the server could

answer a request for .A user contacting this machine will
falsely believe they have established an encrypted session to Amazon.com.At the
same time, the attacker contacts the real Amazon.com and pretends to be the
user.The attacker plays both roles, decrypting the incoming data from the user,
then reencrypting it for transmission to the original destination.
In theory, encryption protocols have defenses against this.A server claiming to
be Amazon.com needs to prove that it is, indeed,Amazon.com. In practice, most
users ignore this. MITM attacks have proven effective when used in the field.
Cracking
Tools like dsniff and Ettercap capture not only passwords, but also encrypted pass-
words. In theory, capturing the encrypted passwords is useless. However, people
choose weak passwords, such as words from the dictionary. It takes only a few
seconds for an attacker to run through a 100,000-word dictionary, comparing the
encrypted form of each dictionary word against the encrypted password. If a
match is found, then the attacker has discovered the password.
Such password cracking programs already exist.Tools like dsniff and Ettercap
simply output the encrypted passwords in a form that these tools can read.
Switch Tricks
Switches came into vogue a few years ago, and a lot of people think that if they
have a switched network, it is impossible for an attacker to use a sniffer success-
fully to capture any information from them. It’s time to burst their bubble, as you
will see when we discuss methods of successfully sniffing on a switched network.
ARP Spoofing
When attempting to monitor traffic on a switched network, you will run into
one serious problem:The switch will limit the traffic that is passed over your sec-
tion of the network. Switches keep an internal list of the MAC addresses of hosts
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 386
Sniffing • Chapter 10 387
that are on each port.Traffic is sent to a port only if the destination host is

recorded as being present on that port. It is possible to overwrite the ARP cache
on many operating systems, which would allow you to associate your MAC
address with the default gateway’s IP address.This would cause all outgoing traffic
from the target host to be transmitted to you instead.You would need to ensure
that you manually have added an ARP table entry for the real default gateway, to
ensure that the traffic will be sent to the real target, and also to ensure that you
have IP forwarding enabled.
It has been found that many cable modem networks are also vulnerable to
this type of attack, since the cable modem network is essentially an Ethernet
network, with cable modems acting as bridges. In short, there is no solution to
this attack, and new generations of cable modem networks will use alternate
mechanisms to connect a user to the network.
The dsniff sniffer by Dug Song includes a program named arpspoof (formerly
arpredirect) for exactly this purpose.
arpspoof redirects packets from a target host (or all hosts) on the
LAN intended for another host on the LAN by forging ARP replies.
This is an extremely effective way of sniffing traffic on a switch.
—dsniff FAQ
MAC Flooding
To serve its purpose, a switch must keep a table of all MAC (Ethernet) addresses
of the hosts that appear on each port. If a large number of addresses appear on a
single port, filling the address table on the switch, then the switch no longer has a
record of which port the victim MAC address is connected to.This is the same
situation as when a new machine first attaches to a switch, and the switch must
learn where that address is. Until it learns which port it is on, the switch must
send copies of frames for that MAC address to all switch ports, a practice known
as flooding.
The dsniff sniffer includes a program named macof, which facilitates the
flooding of a switch with random MAC addresses to accomplish this:
macof floods the local network with random MAC addresses

(causing some switches to fail open in repeating mode, facilitating
sniffing). A straight C port of the original Perl Net::RawIP macof
program by Ian Vitek <>. —dsniff FAQ
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 387
388 Chapter 10 • Sniffing
Routing Games
One method to ensure that all traffic on a network will pass through your host is
to change the routing table of the host you wish to monitor.This may be possible
by sending a fake route advertisement message via RIP, declaring yourself as the
default gateway. If successful, all traffic will be routed through your host. Ensure
that you have enabled IP forwarding, and that your default gateway is set to the
real network gateway.All outbound traffic from the host will pass through your
host, and onto the real network gateway.You may not receive return traffic, unless
you also have the ability to modify the routing table on the default gateway to
reroute all return traffic back to you.
Exploring Operating System APIs
Operating systems provide, or don’t provide, interfaces to their network link layer.
Let’s examine a variety of operating systems to determine how they interface to
their network link layer.
Linux
Linux provides an interface to the network link layer via its socket interface.This
is one of the easiest of the interfaces provided by any operating system.The fol-
lowing program illustrates how simple this is.This program opens up the speci-
fied interface, sets promiscuous mode, and then proceeds to read Ethernet packets
from the network.When a packet is read, the source and destination MAC
addresses are printed, in addition to the packet type.
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/if_arp.h>
#include <linux/if_ether.h>
#include <linux/sockios.h>
#include <net/ethernet.h>
int open_interface(char *name)
{
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 388
Sniffing • Chapter 10 389
struct sockaddr addr;
struct ifreq ifr;
int sockfd;
/* open a socket and bind to the specified interface */
sockfd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL));
if (sockfd < 0)
return -1;
memset(&addr, 0, sizeof(addr));
addr.sa_family = AF_INET;
strncpy(addr.sa_data, name, sizeof(addr.sa_data));
if (bind(sockfd, &addr, sizeof(addr)) != 0) {
close(sockfd);
return -1;
}
/* check to make sure this interface is ethernet, otherwise exit */
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
if (ioctl(sockfd, SIOCGIFHWADDR, &ifr) < 0) {
close(sockfd);

return -1;
}
if (ifr.ifr_hwaddr.sa_family != ARPHRD_ETHER) {
close(sockfd);
return -1;
}
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 389
390 Chapter 10 • Sniffing
/* now we set promiscuous mode */
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
if (ioctl(sockfd, SIOCGIFFLAGS, &ifr) < 0) {
close(sockfd);
return -1;
}
ifr.ifr_flags |= IFF_PROMISC;
if (ioctl(sockfd, SIOCSIFFLAGS, &ifr) < 0) {
close(sockfd);
return -1;
}
return sockfd;
}
/* read ethernet packets, printing source and destination addresses */
int read_loop(sockfd)
{
struct sockaddr_in from;
char buf[1792], *ptr;
int size, fromlen, c;
struct ether_header *hdr;

while (1) {
/* read the next available packet */
size = recvfrom(sockfd, buf, sizeof(buf), 0, &from, &fromlen);
if (size < 0)
return -1;
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 390
Sniffing • Chapter 10 391
if (size < sizeof(struct ether_header))
continue;
hdr = (struct ether_header *)buf;
/* print out ethernet header */
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_shost[c]);
printf(" > ");
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_dhost[c]);
printf(" type: %i\n", hdr->ether_type);
}
}
int main(int argc, char **argv)
{
int sockfd;
char *name = argv[1];
if (!argv[1]) {
fprintf(stderr, "Please specify an interface name\n");
return -1;
}
if ((sockfd = open_interface(name)) < 0) {
fprintf(stderr, "Unable to open interface\n");

return -1;
}
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 391
392 Chapter 10 • Sniffing
if (read_loop(sockfd) < 0) {
fprintf(stderr, "Error reading packet\n");
return -1;
}
return 0;
}
BSD
BSD-based operating systems such as OpenBSD, FreeBSD, NetBSD, and BSDI all
provide an interface to the link layer via a kernel-based driver called the Berkeley
Packet Filter (BPF). BPF possesses some very nice features that make it extremely
efficient at processing and filtering packets.
The BPF driver has an in-kernel filtering mechanism.This is composed of a
built-in virtual machine, consisting of some very simple byte operations allowing
for the examination of each packet via a small program loaded into the kernel by
the user.Whenever a packet is received, the small program is run on the packet,
evaluating it to determine whether it should be passed through to the user-land
application. Expressions are compiled into simple bytecode within user-land, and
then loaded into the driver via an ioctl() call.
libpcap
libpcap is not an operating system interface, but rather a portable cross-platform
library that greatly simplifies link layer network access on a variety of operating
systems. libpcap is a library originally developed at Lawrence Berkeley
Laboratories (LBL). Its goal is to abstract the link layer interface on various oper-
ating systems and create a simple standardized application program interface
(API).This allows the creation of portable code, which can be written to use a

single interface instead of multiple interfaces across many operating systems.This
greatly simplifies the technique of writing a sniffer, when compared to the effort
required to implement such code on multiple operating systems.
The original version available from LBL has been significantly enhanced since
its last official release. It has an open source license (the BSD license), and there-
fore can also be used within commercial software, and allows unlimited modifica-
tions and redistribution.
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 392
Sniffing • Chapter 10 393
The original LBL version can be obtained from />libpcap.tar.Z .The tcpdump.org guys, who have taken over development of
TCPDump, have also adopted libpcap. More recent versions of libpcap can be
found at www.tcpdump.org.
In comparison to the sniffer written for the Linux operating system, using its
native system interface, a sniffer written on Linux using libpcap is much simpler,
as seen here:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <net/ethernet.h>
#include <pcap/pcap.h>
pcap_t *open_interface(char *name)
{
pcap_t *pd;
char ebuf[PCAP_ERRBUF_SIZE];
/* use pcap call to open interface in promiscuous mode */
pd = pcap_open_live(name, 1600, 1, 100, ebuf);
if (!pd)
return NULL;
return pd;

}
int read_loop(pcap_t *pd)
{
const unsigned char *ptr;
int size, c;
struct pcap_pkthdr h;
struct ether_header *hdr;
while (1) {
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 393
394 Chapter 10 • Sniffing
/* read the next available packet using libpcap */
ptr = pcap_next(pd, &h);
if (h.caplen < sizeof(struct ether_header))
continue;
hdr = (struct ether_header *)ptr;
/* print out ethernet header */
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_shost[c]);
printf(" > ");
for (c = 0; c < ETH_ALEN; c++)
printf("%s%02x",c == 0 ? "" : ":",hdr->ether_dhost[c]);
printf(" type: %i\n", hdr->ether_type);
}
}
int main(int argc, char **argv)
{
pcap_t *pd;
char *name = argv[1];
if (!argv[1]) {

fprintf(stderr, "Please specify an interface name\n");
return -1;
}
pd = open_interface(name);
if (!pd) {
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 394
Sniffing • Chapter 10 395
fprintf(stderr, "Unable to open interface\n");
return -1;
}
if (read_loop(pd) < 0) {
fprintf(stderr, "Error reading packet\n");
return -1;
}
return 0;
}
Windows
Unfortunately,Windows-based operating systems provide no functionality to
access the network at the data link layer.We must obtain and install a third-party
packet driver to obtain access to this level. Until recently, there have been no
such drivers publicly available for which a license was not required.A BPF-like
driver has now been written that supports even the BPF in-kernel filtering
mechanism.A port of the libpcap library is also now available that, when com-
bined with the driver, provides an interface as easy as their UNIX counterparts.
The driver, libpcap port, as well as a Windows version of TCPDump, are both
available from />Taking Protective Measures
So you probably think that all is lost and that there is nothing you can do to pre-
vent sniffing from occurring on your network, right? All is not lost, as you will
see in this section.

Providing Encryption
Fortunately, for the state of network security, encryption (used properly) is the
one silver bullet that will render a packet sniffer useless. Encrypted data, assuming
its encryption mechanism is valid, will thwart any attacker attempting to passively
monitor your network.
Many existing network protocols now have counterparts that rely on strong
encryption, and all-encompassing mechanisms such as IPSec provide this for all
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 395
396 Chapter 10 • Sniffing
protocols. Unfortunately, IPSec is not widely used on the Internet outside of
individual corporations.
Secure Shell (SSH)
Secure Shell is a cryptographically secure replacement for the standard Telnet,
rlogin, rsh, and rcp commands. It consists of both a client and server that use
public key cryptography to provide session encryption. It also provides the ability
to forward arbitrary ports over an encrypted connection, which comes in very
handy for the forwarding of X11 Windows and other connections.
SSH has received wide acceptance as the secure mechanism to access a
remote system interactively. SSH was conceived and initially developed by
Finnish developer Tatu Ylonen.The original version of SSH turned into a com-
mercial venture, and although the original version is still freely available, the
license has become more restrictive.A public specification has been created,
resulting in the development of a number of different versions of SSH-compliant
client and server software that do not contain these restrictions (most signifi-
cantly, those that restrict commercial use).
The original SSH, written by Tatu Ylonen, is available from .fi/
pub/ssh/.The new commercialized SSH can be purchased from SSH
Communications Security (www.ssh.com), who have made the commercial
version free to recognized universities.

A completely free version of SSH-compatible software, OpenSSH, developed
by the OpenBSD operating system project (as seen in Figure 10.8), can be
obtained from www.openssh.com.
www.syngress.com
Figure 10.8 The OpenSSH Project
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 396
Sniffing • Chapter 10 397
Incidentally, the OpenBSD/OpenSSH team does a lot of good work for little
or no money. Figure 10.8 is available as a T-shirt, and proceeds go to help cover
expenses for the project. Check out the shirts, posters, and CD-ROMs that they
sell at www.openbsd.org/orders.html.
Secure Sockets Layers (SSL)
SSL provides authentication and encryption services. From a sniffing perspective,
SSL is vulnerable to a man-in-the-middle attack (as described previously in the
dsniff section).An attacker can set up a transparent proxy between you and the
Web server.This transparent proxy can be configured to decrypt the SSL connec-
tion, sniff it, and then reencrypt it.When this happens, the user will be prompted
with dialogs similar to Figure 10.9.The problem is that most users ignore the
warnings and proceed anyway.
PGP and S/MIME
PGP and S/MIME are standards for encrypting e-mail. If used correctly, these
will prevent e-mail sniffers like dsniff and Carnivore from being able to interpret
intercepted e-mail.
In the United States, the FBI has designed a Trojan horse called Magic Lantern
that is designed to log keystrokes, hopefully capturing a user’s passphrase. Once
the FBI gets a passphrase, they can then decrypt the e-mail messages. In the
United Kingdom, users are required by law to give their encryption keys to law
enforcement when requested.
www.syngress.com
Figure 10.9 Incorrect SSL Certificate Alert

194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 397
398 Chapter 10 • Sniffing
Switching
Network switches do make it more difficult for an attacker to monitor your net-
work; however, not by much. Switches sometimes are recommended as a solution
to the sniffing problem; however, their real purpose is to improve network per-
formance, not provide security. As explained in the section “Advanced Sniffing
Techniques,” any attacker with the right tools can still monitor a switched host if
they are on the same switch or segment as that system.
Employing Detection Techniques
But what if you can’t use encryption on your network for some reason? What do
you do then? If this is the case, then you must rely on detecting any network
interface card (NIC) that may be operating in a manner that could be invoked by
a sniffer.
Local Detection
Many operating systems provide a mechanism to determine whether a network
interface is running in promiscuous mode.This is usually represented in a type of
status flag that is associated with each network interface and maintained in the
kernel.This can be obtained by using the ifconfig command on UNIX-based
systems.
The following examples show an interface on the Linux operating system
when it isn’t in promiscuous mode:
eth0 Link encap:Ethernet HWaddr 00:60:08:C5:93:6B
inet addr:10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1492448 errors:2779 dropped:0 overruns:2779 frame:2779
TX packets:1282868 errors:0 dropped:0 overruns:0 carrier:0
collisions:10575 txqueuelen:100
Interrupt:10 Base address:0x300
Note that the attributes of this interface mention nothing about promiscuous

mode.When the interface is placed into promiscuous mode, as shown next, the
PROMISC keyword appears in the attributes section:
eth0 Link encap:Ethernet HWaddr 00:60:08:C5:93:6B
inet addr:10.0.0.21 Bcast:10.0.0.255 Mask:255.255.255.0
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 398
Sniffing • Chapter 10 399
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1492330 errors:2779 dropped:0 overruns:2779 frame:2779
TX packets:1282769 errors:0 dropped:0 overruns:0 carrier:0
collisions:10575 txqueuelen:100
Interrupt:10 Base address:0x300
It is important to note that if an attacker has compromised the security of the
host on which you run this command, he or she can easily affect this output. An
important part of an attacker’s toolkit is a replacement ifconfig command that
does not report interfaces in promiscuous mode.
Network Detection
There are a number of techniques, varying in their degree of accuracy, to detect
whether a host is monitoring the network for all traffic.There is no guaranteed
method to detect the presence of a network sniffer.
DNS Lookups
Most programs that are written to monitor the network perform reverse DNS
lookups when they produce output consisting of the source and destination hosts
involved in a network connection. In the process of performing this lookup, addi-
tional network traffic is generated; mainly, the DNS query to look up the net-
work address. It is possible to monitor the network for hosts that are performing
a large number of address lookups alone; however, this may be coincidental, and
not lead to a sniffing host.
An easier way, which would result in 100 percent accuracy, would be to gen-
erate a false network connection from an address that has no business being on

the local network.We would then monitor the network for DNS queries that
attempt to resolve the faked address, giving away the sniffing host.
Latency
A second technique that can be used to detect a host that is monitoring the net-
work is to detect latency variations in the host’s response to network traffic (i.e.,
ping).Although this technique can be prone to a number of error conditions
(such as the host’s latency being affected by normal operation), it can assist in
determining whether a host is monitoring the network.The method that can be
used is to probe the host initially, and sample the response times. Next, a large
amount of network traffic is generated, specifically crafted to interest a host that
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 399
400 Chapter 10 • Sniffing
is monitoring the network for authentication information. Finally, the latency of
the host is sampled again to determine whether it has changed significantly.
Driver Bugs
Sometimes an operating system driver bug can assist us in determining whether a
host is running in promiscuous mode. In one case, CORE-SDI, an Argentine
security research company, discovered a bug in a common Linux Ethernet driver.
They found that when the host was running in promiscuous mode, the operating
system failed to perform Ethernet address checks to ensure that the packet was
targeted toward one of its interfaces. Instead, this validation was performed at the
IP level, and the packet was accepted if it was destined to one of the host’s inter-
faces. Normally, packets that did not correspond to the host’s Ethernet address
would have been dropped at the hardware level; however, in promiscuous mode,
this doesn’t happen.We could determine whether the host was in promiscuous
mode by sending an ICMP ping packet to the host, with a valid IP address of the
host, but an invalid Ethernet address. If the host responded to this ping request, it
was determined to be running in promiscuous mode.
AntiSniff

AntiSniff is a tool written by a Boston-based group of grey-hat hackers known as
the L0pht.They have combined several of the techniques just discussed into a
tool that can serve to effectively detect whether a host is running in promiscuous
mode.A 15-day trial version of this tool (for Windows-based systems) can be
obtained from their Web site located at www.securitysoftwaretech.com/antisniff.
A UNIX version is available for free for noncommercial use. See the license
for the restrictions on using this version.
Remember that AntiSniff finds some sniffers, not all. Some sniffers are com-
pletely stealth, whereas others have been patched to counteract AntiSniff.
Network Monitor
Network Monitor, available on Windows NT based systems, has the capability to
monitor who is actively running NetMon on your network. It also maintains a
history of who has NetMon installed on their system. It detects only other copies
of Network Monitor, so if the attacker is using another sniffer, then you must
detect it using one of the previous methods discussed. Most network-based intru-
sion detection systems will also detect these instances of NetMon.
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 400
Sniffing • Chapter 10 401
Summary
Sniffing is monitoring a network for useful information. Sniffing can be used to
steal authentication information (passwords), can be used to steal e-mail, monitor
Web usage, and generally discover everything a target is doing on a network.
Protocols that are useful to sniff for passwords include Telnet, POP3, IMAP,
HTTP, and NetBIOS.
There are many popular sniffing software packages.These include Ethereal,
Sniffer Pro, NetMon,AiroPeek,TCPDump, dsniff, and Ettercap. Some of these
are commercial, and some are available for free. For password monitoring, dsniff is
the most useful. It’s also one of the free ones. It also has modules for monitoring
e-mail and Web traffic. Carnivore is a specialized sniffer used by law enforcement

that has more filtering options than many others (and is not available to the gen-
eral public).
Traditionally, most local area networks sent traffic to all attached nodes.
Currently, many networks employ switches, which are network devices designed
to help improve performance.They can also hinder sniffing somewhat, since they
are designed to not send traffic to nodes that aren’t supposed to get it.There are
tricks that can be played to get around this problem, such as MAC flooding,ARP
spoofing, or route manipulation.These techniques are designed to give a sniffer
on a switched network an opportunity to monitor traffic again. MAC flooding
and route manipulation work by manipulating the network equipment itself.
ARP spoofing works by manipulating the ARP table of the machine that is to be
monitored. Some of the sniffing packages mentioned come with tools to accom-
plish these tricks.
Each operating system comes with its own API for capturing network traffic,
except older versions of Windows. Free add-on driver software is available for
versions of Windows that don’t include the functionality.Writing a program to
capture network traffic can be done in a handful of lines in many cases, though
you will need the appropriate privileges in order to use it. However, actually
decoding the traffic your program captures will be much harder.
In general, encryption is the way to defend against sniffing. If done properly,
encrypted network traffic will defeat any sniffing attempts. However, many
encryption schemes rely on the end user to make intelligent choices regarding
the error messages the might see.This leaves a hole for MITM attacks, which
may cause an error, but the error is often ignored.The dsniff package includes
some tools for performing MITM (monkey-in-the-middle, in that case) attacks.
www.syngress.com
194_HPYN2e_10.qxd 2/15/02 10:59 AM Page 401