Detection of sniffers in an Ethernet network

On a local network, security is always taken into consideration. When plain text data is being sent onto the network, it can be easily stolen by any network user. Stealing data from the network is called sniffing. By sniffing the network, a user can gain access into confidential documents and cause intrusion into anyone's privacy. Many 0freely distributed software on the Internet provides this functionality. Despite the easiness of sniffing, sniffers are usually difficult to detect, since they do not interfere with the network traffic at all. System administrators are facing difficulties to detect and deal with this type of attack. Several antisniffers programs can be used to detect sniffers. However, sniffers are becoming very advanced so that current antisniffers are unable to detect them. This paper explains a new technique used by SupCom AntiSniffer, a tool that can effectively scan sniffers on an Ethernet network. The proposed technique uses three phases to detect the sniffing hosts in an Ethernet network. In the first phase, the ARP caches of the sniffing hosts are corrupted. In the second phase, TCP SYN request connections packets are sent to each host in the network using fake IP and MAC source addresses. Finally, by analyzing the responses of the hosts, all hosts running sniffers are detected. Four anti-sniffers, PMD [18], PromiScan [17], L0pht AntiSniff [19] and SupCom anti-sniffer, are tested and the evaluation results show that SupCom AntiSniffer succeeded to detect more sniffing hosts than the other antisniffers.