A sniffer can be indispensable in analyzing network security and detecting malware. However, because of a sniffer, hackers can get hold of your account or banking data.
A packet sniffer is a program or a hardware-software device, which can be used to intercept and analyze data. All data goes through the sniffer, including passwords and logins. If necessary, the sniffer can be configured only to receive, for example, the first 100 bytes of a data packet.
Sniffers, as traffic analyzers, are used for several purposes:
Among the most common traffic analyzers are:
for Windows:
for Unix:
However, there is a dark side of using packet sniffers by attackers, who intercept users' personal data. If the data is transmitted unencrypted, users are immediately robbed of logins, passwords, and other valuable data.
British Airways' website and mobile app were attacked by JS Sniffers between Aug. 25 and Sept. 5, 2018. The malware was aimed at stealing consumers' personal data, including payment card details, names, account data, etc. As a result, there were 380,000 victims.
In early March 2019, a sniffer was detected on the FILA UK website that had been collecting user data since November 2018. Taking into account the monthly traffic of visitors and the final percentage of customers, the personal data of nearly 5,600 users could have been compromised.
In normal operation, the Ethernet interface filters received data packets at the data link layer. That is, the NIC accepts only broadcast requests and data packets that have the same MAC address in their header as the NIC.
The sniffer needs Promiscuous mode, in which the filter is disabled and all data packets are accepted independently of the addressee.
It is possible to intercept traffic:
If you collect all the data that can be intercepted by the sniffer, the log will quickly become too big and data analysis will become more time-consuming. The program can be configured, for example, to acquire data only from specific protocols (HTTP, POP3, IMAP, FTP) or to limit the size of the intercepted data (for example, the first 100 bytes can contain the login and password).
Detecting the sniffer virtually can be problematic, because, for example, Wi-Fi sniffers can be connected to networks with weak protection (public places). It is also possible to give your personal data to attackers by using unsecured protocols. In this case, the intercepted data will be visible in unencrypted form. However, hackers can also obtain personal data using decryptors.
It is difficult to detect packet sniffers by yourself, so it is better to use antivirus programs that will scan all the data on your device and identify problematic areas. The antivirus will either delete the malicious files on its own or tell you the solution to the problem.
You can also install your own sniffer that will analyze all traffic and detect suspicious traffic.