A sniffer can be indispensable in analyzing network security and detecting malware. However, because of a sniffer, hackers can get hold of your account or banking data.
What is a packet sniffer?
A packet sniffer is a program or a hardware-software device, which can be used to intercept and analyze data. All data goes through the sniffer, including passwords and logins. If necessary, the sniffer can be configured only to receive, for example, the first 100 bytes of a data packet.
What is packet sniffing needed for?
Sniffers, as traffic analyzers, are used for several purposes:
- network diagnostics for security and penetration;
- identification and troubleshooting of network problems and virus traffic;
- detection of malicious and unauthorized software, such as Trojans, network scanners, etc;
- tracking what employees do at their workplaces (how much time they spend on work and rest).
Among the most common traffic analyzers are:
However, there is a dark side of using packet sniffers by attackers, who intercept users' personal data. If the data is transmitted unencrypted, users are immediately robbed of logins, passwords, and other valuable data.
British Airways' website and mobile app were attacked by JS Sniffers between Aug. 25 and Sept. 5, 2018. The malware was aimed at stealing consumers' personal data, including payment card details, names, account data, etc. As a result, there were 380,000 victims.
In early March 2019, a sniffer was detected on the FILA UK website that had been collecting user data since November 2018. Taking into account the monthly traffic of visitors and the final percentage of customers, the personal data of nearly 5,600 users could have been compromised.
How does packet sniffing work?
In normal operation, the Ethernet interface filters received data packets at the data link layer. That is, the NIC accepts only broadcast requests and data packets that have the same MAC address in their header as the NIC.
The sniffer needs Promiscuous mode, in which the filter is disabled and all data packets are accepted independently of the addressee.
It is possible to intercept traffic:
- by sniffing the network interface;
- by connecting the sniffer in the channel gap;
- by directing a copy of the traffic to the sniffer via its branching;
- through an attack on the link or network, which redirects traffic to the sniffer and then returns to the original address.
If you collect all the data that can be intercepted by the sniffer, the log will quickly become too big and data analysis will become more time-consuming. The program can be configured, for example, to acquire data only from specific protocols (HTTP, POP3, IMAP, FTP) or to limit the size of the intercepted data (for example, the first 100 bytes can contain the login and password).
How to detect and remove a sniffer?
Detecting the sniffer virtually can be problematic, because, for example, Wi-Fi sniffers can be connected to networks with weak protection (public places). It is also possible to give your personal data to attackers by using unsecured protocols. In this case, the intercepted data will be visible in unencrypted form. However, hackers can also obtain personal data using decryptors.
It is difficult to detect packet sniffers by yourself, so it is better to use antivirus programs that will scan all the data on your device and identify problematic areas. The antivirus will either delete the malicious files on its own or tell you the solution to the problem.
You can also install your own sniffer that will analyze all traffic and detect suspicious traffic.
- Encryption. Use only reliable sites that guarantee encryption of personal data;
- Anti-sniffers. These malware detecting programs can be a method for reducing the threat of sniffing. For example, AntiSniff, PromiScan;
- For a more secure connection, you can use a VPN from a trusted provider;
- Use antivirus software and regularly scan your local network for insecurities;v
- Use only tested and secured Wi-Fi.