A sniffer grabs all of the traffic flowing into and out of a computer attached to a network. Sniffers are available for several platforms. Some of simplest packages are actually quite easy to implement in C or Perl, use a command line interface, and dump captured data to the screen. More complex sniffers use a GUI (Graphical User Interface), graph traffic statistics, track multiple sessions and offer several configuration options.
- Sniffer usage
- Intrusion Detection Systems
- Regularly check the terf yourself too
- Deep Packet Inspection
- Evading traffic analysis
Sniffers are also the engines for other programs. Intrusion Detection Systems (IDS, see below) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. Law enforcement agencies that need to monitor email during investigations, likely employ a sniffer designed to capture very specific traffic (see evasion techniques below).
Note: Packet sniffing across a switched network is difficult. Unless mirroring all outgoing traffic on a high end switch. Like intelligence agencies are doing.
[linkview show_cat_name=”0″ cat_name=”Sniffer usage”]
Sniffers[linkview show_cat_name=”0″ cat_name=”Sniffers”]
Intrusion Detection Systems
An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.
IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat.[linkview show_cat_name=”0″ cat_name=”Intrusion Detection Systems”]
A honeypot is a system designed to capture all traffic and activity directed to the system. While honeypots can be set up to perform simple network services in conjunction with capturing network traffic, most are designed strictly as a “lure” for would-be attackers. Honeypots differ from regular network systems in that it’s focus is on logging all activity to the site, either by the honeypot itself or through the use of a network/packet sniffer.
The use of honeypots, especially together with packet sniffers is at the center of the debate over the use of such tactics and information collection procedures. Honeypots are at best a mechanism to provide information on attack protocols that are already widely known and at worst a form of electronic wiretapping and entrapment.[linkview show_cat_name=”0″ cat_name=”Honeypots”]
Regularly Check The Terf Yourself Too
Deep Packet Inspection[linkview show_cat_name=”0″ cat_name=”DPI”]
Evading Traffic Analysis
Handle your TCP connection transparently, delay, modify and inject fake packets inside your transmission, to make them almost impossible to be correctly read by a passive wiretapping technology (IDS or sniffer)[linkview show_cat_name=”0″ cat_name=”Evade Traffic Analysis”]