NOW SpinRite 6.1 – Fast and useful for spinning and solid state mass storage!

OptOut Logo
How to Watch Spyware Watching You!
by Steve Gibson, Gibson Research Corporation
Packet Sniffing



Packet data of DNS (Domain Name System) reply to Aureate software's
request for the IP address of its default server 'aim1.adsoftware.com'

All network data travels across the Internet, and then into and out of PC's, in the form of individual, variable size, "data packets" like the one shown above. Since the typical PC user never "sees" any of this raw data, many spyware systems covertly send sensitive information out of the user's computer without their knowledge.

Packet sniffers expose this raw
Internet dialog to the light of day.

A "Packet Sniffer" is a utility that sniffs without modifying the network's packets in any way. By comparison, a firewall sees all of a computer's packet traffic as well, but it has the ability to block and drop any packets that its programming dictates. Packet sniffers merely watch, display, and log this traffic.

One disturbingly powerful aspect of packet sniffers is their ability to place the hosting machine's network adapter into "promiscuous mode." Network adapters running in promiscuous mode receive not only the data directed to the machine hosting the sniffing software, but also ALL of the traffic on the physically connected local network. Unfortunately, this capability allows packet sniffers to be used as potent spying tools. This is obviously not an activity that I wish to promote on this site, and if non-promiscuous sniffing software were available I would be recommending it. But, unfortunately, all of the tools I have located avidly feature promiscuous sniffing capabilities.

One note of warning before we go any further:
The use of powerful packet sniffing software by people who lack a thorough understanding of TCP/IP and Internet protocols will — without question — create significant confusion and raise a large number of questions. At the end of this page I have assembled references to a number of extremely good texts. Everything you could want to know is spelled out in those volumes. We have also created a private "packetsniffing" newsgroup forum for the discussion of packet sniffing software, findings, and questions. But please understand that GRC CAN NOT PROVIDE any other form of technical support for users of packet sniffing software.

ALL questions or observations regarding Packet
Sniffing MUST BE DIRECTED to our online forum.

news://news.grc.com/grc.techtalk.packetsniffing

Despite the fact that users of packet sniffing software are very much "on their own" (with the exception of our "packetsniffing" support newsgroup), I feel that empowering users with the ability to perceive and record the data moving into and out of their PC's is so useful and important that it offsets the burden and responsibility of that data's detailed interpretation.

Two Favored Windows-based Packet Sniffers

The SpyNet Sniffer Changed Publishers:

The Spynet Sniffer (described below) was sold to eEye - Digital Security, enhanced (sort of), it's somewhat more attractive, and renamed the "Iris" Network Traffic Analyzer. That's the good news.

The bad news is that these folks must have a very different target market in mind than you or me, since their price for the sniffer is $1745 with $550 annual "maintenance fees"! Yikes!!!! I don't know who they're selling that to, but it's sure not me!

The sort of good news is that, like the original Spynet Sniffer, theirs DOES have a built-in 30-day free trial before it expires, and even more cool, it's 30 actual days of real use, not 30-days from the time it's downloaded.

So you can really get some use out of the best sniffer on the market for 30-days before needing to come to grips with the fact that it's "pay up (and how!) or give it up."

http://www.eeye.com/html/Products/Iris/overview.html

 The SpyNet Sniffer:

  
Click for full-size view
This powerful and capable sniffing solution consists of two programs: CaptureNet and PeepNet. Despite the fact that it offers the much too prone to abuse promiscuous mode, and (even more alarmingly) provides sample filters for capturing eMail and other passwords as they pass by on a LAN — which I object to MOST strenuously — I confess that this is my favorite packet sniffer. It can be readily downloaded and used on a pre-purchase trial basis.

The CaptureNet software works reliably and robustly on all 32-bit Windows platforms. It provides excellent display formatting and log saving and exporting features and it offers very useful "packet filtering" to specify which packets to capture and which to ignore. This is the packet capturing tool that I have used exclusively for all of my research. It can be used for 30-days before it must be registered for continued use. The program's author has also created a SpyNet Sniffer Forum where extensive help and guidance may be found.

If the author would clean up his act by disabling promiscuous mode capture for unregistered versions, and remove the obviously "only useful for malicious purposes" sample eMail password capture filters, he would have a fully commercial-grade product that I would recommend without reservation. As it is, it is the packet sniffer I most recommend, although very reluctantly, due to its apparent "malicious hacker" user orientation.

ONE ANNOYANCE: The SpyNet Sniffer is dependent upon a number of Windows components that are installed by Microsoft Internet Explorer 5. Therefore, IE5 must be installed in any system running the SpyNet Sniffer. The CommView Sniffer (see below) has no such requirement or limitation.

 The CommView v2.0 Sniffer:

  
Click for full-size view
Tamos Software's CommView v2 is another very nice and feature-complete packet sniffer which can be downloaded and used on a pre-purchase trial basis. It has a very nice "Statistics" display page which is missing from the SpyNet sniffer. This statistics page groups together similar packet traffic having identical source and destination IP addresses and "resolves" the machine "hostnames" being contacted. This can greatly simplify the task of detecting "spyware" behavior. The Tamos sniffer also offers very complete and somewhat more capable and extensive filtering capabilities than SpyNet's CaptureNet sniffer.

If you are unnerved by the idea of
someone operating a promiscuous
packet sniffer on YOUR network. . .

Thwarting Promiscuous Sniffing

Since a promiscuous sniffer can only sniff the data traffic being shared on its local network segment, promiscuous sniffing can be completely thwarted through the use of network "switches" instead of "hubs."

A 10Base-T or 100Base-T network hub operates by retransmitting any received data to all connected machines. But a network switch "knows" which specific machine — and LAN segment — any received data is destined for and it therefore retransmits any received data only on the LAN segment containing the intended receiver. Therefore, if switches are used instead of hubs, each machine will occupy its own LAN segment and that segment will only carry data traffic intended for that machine.

Such LAN segmentation renders promiscuous mode packet sniffers completely powerless.

Detecting Promiscuous Sniffing

Although "sniffers" are intended to be completely passive and therefore undetectable, the presence of simple software-based sniffers, such as those shown above, can be detected with tricky software designed for the purpose.

The clever hackers of LOPHT Heavy Industries have designed just such a tool, named "AntiSniff". Windows NT Magazine has a nice article which summarizes AntiSniff's operation and ZDNet's Bill Machrone writes about hacking and AntiSniff in his November '99 column How Do I Hack Thee?

Since AntiSniff may be downloaded and used FREE for 15 days, if you are responsible for a corporate network using (promiscuous unsafe) network hubs instead of more secure network switches, my only question is . . . why aren't you using AntiSniff?

And, needless to say, locating a promiscuous-mode machine on your network would be cause for SERIOUS concern and action.

Learning About Packets and Protocols

 The Internet RFC's:
In keeping with the spirit of the Internet, everything you could ever want to know about the IP and TCP protocols is widely and readily available for free download. Although the "Internet RFC's" will decidedly not hold your hand and guide to understanding, they are the definitive reference for the operation of the Internet.

Although the Internet Engineering Task Force (IETF) is the formal and most official repository of Internet RFC's, it is not the most "touchy feely" place to visit. This page allows any RFC to be retrieved by number and a number of different searching options are available here. You can even download the entire RFC file set in a single ZIP file here.

If you find yourself a bit put off by the somewhat stark appearance of the IETF site, a somewhat more enjoyable place to browse RFC's is the Ohio State department of Computer and Information Science site.

They also provide an keyword search which is highly effective.

 An Amazing FREE Resource: IBM's TCP/IP Redbook

The 986-page "TCP/IP Tutorial and Technical Overview", produced by the IBM International Technical Support Organization, is available as a freely downloadable, 7.8MB PDF format file. This is one amazingly useful and comprehensive text which anyone interested in learning more about the ways and means of inter-networking should definitely check out!

You can browse the RedBook's extensive content before downloading the PDF with this link:

To download the PDF file from IBM's redbook servers, click the image to the left or . An overview of the text showing its table of contents and other information — such as hardcopy purchasing information — is available here.

 Expensive, but worthwhile, textbooks:
As you might imagine, the explosion of interest in the Internet created an explosion in textbooks about inter-networking. As you might also expect, being first to the bookstore shelf was more important, for many publishers, than the quality of their offering (which those many publishers may have had trouble judging in any event.) Consequently, there are only a few really terrific textbooks and I am not going to inundate you with choices.

Armed with any of these texts, you can become a powerful counterspy in the struggle for personal privacy in this sometimes too-connected brave new world.

      

Richard Stevens' three volume "TCP/IP Illustrated" series is the virtual bible of this new virtual world. Many, if not most, detailed discussions of Internet operation conclude with statements like "See Richard Stevens' TCP/IP Illustrated, vol.1, for additional information." These three texts contain a wealth of definitive answers, details, and explanations of the Internet's operation.

Volume One, "The Protocols", provides everything you would need to develop a deep understanding of anything a packet sniffer might show you. So, I would recommend against purchasing all three texts unless you're the sort of person (as I am :) who loves to own important reference material, even if it's not often used.

 TCP/IP Illustrated, Volume 1, "The Protocols", ISBN 0-201-63346-9 (Amazon)
 TCP/IP Illustrated, Volume 2, "The Implementation", ISBN 0-201-63354-X (Amazon)
 TCP/IP Illustrated, Volume 3, "TCP Transactions", ISBN 0-201-63495-3 (Amazon)

      

Douglas Comer's three volume "Internetworking with TCP/IP" series is another often quoted and quite well-known Internet reference work. It has a very different feel from Stevens' work. The first volume contains less detail than Stevens', then the second volume shifts gears completely by showing detailed source code for the implementation of a TCP/IP protocol "stack". The third volume in the series was published much later (in 1997 versus 1991) and would be of interest only to Windows "sockets" programmers.

 Internetworking with TCP/IP, Volume I, "Principles, Protocols, and Architecture",
   ISBN 0-13-018380-6 (Amazon)
 Internetworking with TCP/IP, Volume II, "Design, Implementation, and Internals",
   ISBN 0-13-125527-4 (Amazon)
 Internetworking with TCP/IP, Volume III, "Client-Server Programming and Applications",
   ISBN 0-13-848714-6 (Amazon)

TCP/IP Blueprints is a fact-packed and highly useful text. If you could only choose a single volume, I'd be tempted to recommend this one over the other more page-intensive multi-volume collections (but I'd still probably choose Stevens' excellent first volume! :) If you're looking for a single, extremely comprehensive, text which touches upon virtually every facet of the operation of the Internet, while still providing enough detail to be "complete", this would be your best bet.

 TCP/IP Blueprints by Robin Burk, Martin Bligh, Thomas Lee, et al.
   ISBN 0-672-31055-4 (Amazon)

Sniffing-Related Resources

If you are interested in learning more about packet sniffing, you're not a Windows user, or you just like to browse through collections of web links, I believe you'll find that the following additional resources are worth your examination:

 Packet Storm's MAJOR packet sniffing page
   http://packetstormsecurity.org/sniffers/

 "TCP for the Uninitiated - Part I (Introduction and Background)
   http://www.dragonmount.net/tutorials/tcpip/part1/intro.htm

 An overview of the TCP/IP protocol suite
   http://www.acm.org/crossroads/xrds1-1/tcpjmy.html

 RFC1180 - A TCP/IP Tutorial
   ftp://ftp.isi.edu/in-notes/rfc1180.txt

 An Introduction to TCP/IP
   http://www.yale.edu/pclt/COMM/TCPIP.HTM

 Uri Raz's (amazing) TCP/IP resource page
   http://www.private.org.il/tcpip_rl.html

 The Protocol.com Web Site
   http://www.protocols.com

 An example packet sniffer (written in Perl)
   http://stein.cshl.org/~lstein/talks/WWW6/sniffer/

To continue, please press your browser's BACK button.

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Oct 06, 2003 at 14:29 (7,650.52 days ago)Viewed 8 times per day