Network sniffing tool, also called Protocol Analyzer, Packet Analyzer, Sniffer, Network packet analyzer etc. is a program and/or device that monitors analyzes data traveling over a network. Network sniffing tools can be used both for legitimate network management functions and for stealing information off a network. Unauthorized network sniffing tools can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker's arsenal.

Detecting a sniffing tool in a network

It is not easy to detect if a sniffing tool is attached to your network for its activities are quiet. There are some general ways:

1. Run your own sniffer and monitor the DNS traffic of nominated host;
2. Judge from some status, for example, if the rate of lost packets on your network communication is abnormally high, or one machine on network occupies biggish bandwidth for a long time, it may imply that a sniffer has been existed on your network;
3. Check whether your system is in promiscuous mod, if so, a sniffer can be running at the same time
4. Use anti-sniffer software to search sniffer in the system.
5. Examine all the applications on the system to see if any suspicious program running.

Reducing the harm of illegal sniffers

There are no effective solution to prevent sniffer from be installed in the network and on in system. To reduce the harms of sniffers, the most popular means are as follows:

How to detect an illegal sniffing tool and defend its harm on a network

1. Using Switch

Sniffer works well in a shared networking environment where computers are connected using a hub. To reduce the damage of sniffing tools in a network, just replacing the hub in your network with a switch which transfers packets according to destinations of network address. Therefore a sniffer can not capture data that do not addressing to it.

2. Encrypting important data

Encrypting your data can reduce the effectiveness of sniffer because sniffers though can capture all data but it can not decode and read the encrypted information. Some popular encrytion technologies are described below:

2.1 SSH (Secure Shell)

SSH is a protocol offering secure communication for application programs, based on client/server mode. The distributive port of SSH server is 22, and links are built on RSA method. When authorization complete, data transmitting will be encrypted with IDEA technique, which is quite powerful generally. F-SSH is the higher level of SSH which offers more powerful encryption.

2.2 SSL (Secure Sockets Layer)

Initially presented by Netscape Corporation, SSL is for transferring data secretly and confidentially on Internet and has been applied widely on web. SSL provides services from three aspects mainly:

1. Identify user and server to make sure data will be sent to right client and server;
2. Encrypt data to hide transmitted data;
3. Keep data's integrity and prevent them from being modified during transferring.

2.3. Other encryptions

Except above encryption techniques, there are some other tools you can try, like Kerberos, Deslogin, VPN, SMB/CIFS, and the like.

3. Using one-time password

S/key and other one-time password techniques can make sniffer less effective in capturing and analyzing account information. S/key works based on the principle that a remote host has gained a password which will not be transmitted on insecure network, a user will get a "challenge" message when connecting the remote host and correct "response" will not appear until the user operates the challenge message and password with a certain arithmetic method. The secure feature of S/key is that passwords do not need to be transferred on network and the same "challenge/response" can appear only once.

Another popular one-time technique is ID cards. Each authorized user has an ID card which can bring forth the number codes for visiting personal account. Without this ID card, nobody can decode the number.

4. Checking promiscuous mode

Sniffer can only work in promiscuous mode, so it is crucial to understand whether your system is set in such mode or not. In the past, most network interface cards of DOS compatible computers did not support promiscuous mode but now it is the reverse. You shall enquiry system provider about the mode of your network interface. Extra attention should be paid to the devices with the promiscuous mode.