SUMMARY: seeking suggestions for LAN sniffers

From: Roger Spaulding (
Date: Thu Feb 13 1997 - 09:28:24 CST

        Hello dere,

        Here is what started it all:

> What are people using to monitor their LANs?
> I am soliciting real world experiences with both software
> and hardware LAN analysis/monitoring tools. Pricing info would
> be appreciated.
> The situation for my company is a flat UTP Ethernet running
> predominantly TCP/IP with a significant percentage of IPX/SPX
> packets.
> We periodically suffer "slow downs" but have no way to ascertain
> if it is our LAN, or if the problem is do to the nodes themselves.
> We are running a mix of SPARCstations (SS1 - SS10), both Sun and
> SPARCalikes. The PCs are PCs.

        The individual replies are attached to the end of this message.
        Thanks go to: Clyde Hurst
                        Christopher Petrilli
                        Ivan Villalobos Hernandez
                        David Sammut
                        Mark Bergman
                        David McCall
                        Christopher Klaus
                        Kevin Connolly
                        Jacques Rall

        I haven't had time to try any of these yet, but now at least I
        have a suggested course of action.

        Here are the replies:

I have done alot of network monitoring. The best tool I have found
to use is HPOpenview. With it, you can monitor any device
(routers, hubs, lanprobes,etc) that support SNMP or RMON.

Clyde Hurst

We use Network General sniffers, which are probably the best in the
business, but they're also pricey, starting around $25K, I believe.

The do now have a PCMCIA version that can be put into a notebook computer
that works pretty well from what I've heard. They have sniffers for

| Christopher Petrilli

do you have your PC's and suns on the same "wire"
are the PC's predominantly the ones suffering the slowdown ?
there is a known re: PCs and SUNs the retransmit timeout is substantially
different- when the net gets very bogged down the PC's are retransmitting wildly
can you put your PC's on a seperate wire ?



Try, tcpdum or snoop, they really work well.

BUT if you want to realize what protocol is flooding your network, then=20
try ethload, it's JUST GREAT!!!

Ivan Villalobos Hernandez

We have a Network General sniffer card that fits into a PC. We bought this
because it not only does the more widely used protocols but can also
do X.25 and OSI (which do a fair bit of development on). The card
is a bit finnicky about what PC it will work with (it works fine with a Dell).
>From memory it cost us around $6500 (Aus$) to purchase without the option
for X.25. It has been quite good (especially for tracing packets for our
OSI work).

I think it is important to remember that a sniffer is only good for
grabbing packets on the net it is on. If you network is far more complicated
or uses somewhat expensive/exotic media types (like FDDI) your sniffers
are going to much more expensive (there are certainly models out there
that can monitor multiple networks - I am uncertain of the details though).

Hope this helps ...


David S


We've got mainly Macs on the desktop, so there's somewhat of a bias
toward that platform.

I'm using Intermapper
for SNMP (and ICMP, AppleTalk) based monitoring. It's a bit light on
the statistics/traffic history kind of stuff, and doesn't offer any
support for custom MIBs or host-based probes, but it's under rapid,
responsive, development. It's very good for quick assesment of whether
certain machines/segments are up or down, and some traffic monitoring.
Intermapper is starting to provide live data via a web interface.

I use EtherPeek ( for packet sniffing. Again, it's
Mac based, which give us some advantages with built-in AppleTalk
support. There's also a Windows version. Etherpeek has some really good
breakdowns of traffic by source/destination/protocol, as well as a
measurement of network bandwidth and bandwidth-by-host. AGG has a lot
of other network monitoring products (their Skyline/Satellite package
is very appealing for traffic stats and remote monitoring). I think
EtherPeek's about $350, and Skyline/Satellite is about $700.

I've used Sun's "snoop" sniffer, and it's fine for specific analysis.
I'd never, ever leave it running and try to extract general information
about network traffic.

We've got Sun Net Manager, which I virtually never use. I loathe the
interface. I feel it's got far too many layers and views, and I can
never find what I want. On the other hand, when I do have the
patience to play with it, I'm always impressed with the depth of
information it's able to pull up--disk stats, virtual memory stats,
traffic monitoring, etc. If I put in quite a bit more time to learn
it, set up some maps that are really tuned for our environment,
etc., it would be much more useful. One downside is that it really
requires a Sun console (or X terminal) for display--I don't know if
you can get at the data remotely. I don't know the price for SNM,
but if it's cheap enough, the SNMP modules that run on each client
are a worthwhile way of getting at the same data, regardless of the
management program.

I'm also looking at nocol (Network Operations Center OnLine). It's a
package in Perl and C that does snmp/rmon/icmp monitoring. I haven't
finished the install, but I like the "feel". It runs daemons, and uses
curses for it's "console" display, so it's more portable than the other
packages--any vt102 terminal emulator should work fine. The software
is available freely on the Internet from '' under
'~ftp/pub/vikas/nocol.tar.Z' or from '' (
under '~ftp/pub/vikas/nocol.tar.Z'.

All in all, I'd like the ease-of-use of Intermapper with the detailed
views and power of Sun Net Manager. I also want a package that runs in
the background/as a daemon for 24hr monitoring without tying up a
machine. I want log files that are easy to parse with a script, so I
can extract high/low/averge bandwidth data, disk/swap usage, # of
logins, etc. over various intervals.

Finally, sniffers and "simple" network monitoring are rapidly becoming
outdated. We're a small, non-profit (read: low funding) institute, yet
we've recently installed switched ethernet. Suddenly all the products
that rely on promiscious interfaces are useless (EtherPeek is rapidly
becoming useless), and we need more sophisticated tools (rmon, snmp) to
visualize traffic flow within the switch. Whatever you buy, plan for
this kind of evolution.

Mark Bergman

I'mm running tcplogger and udplogger and etherload for captures.....

David McCall ==========================================================================

Archive-name: computer-security/sniffers Posting-frequency: monthly Last-modified: 1996/7/15 Version: 3.00

Sniffer FAQ

Version: 3.00 ---------------------------------------------------------------------------- This Security FAQ is a resource provided by:

Internet Security Systems, Inc. Suite 660, 41 Perimeter Center East Tel: (770) 395-0150 Atlanta, Georgia 30346 Fax: (770) 395-1972

---------------------------------------------------------------------------- To get the newest updates of Security files check the following services: ftp /pub/

To subscibe to the update mailing list, Alert, send an e-mail to and, in the text of your message (not the subject line), write:

subscribe alert

---------------------------------------------------------------------------- This Sniffer FAQ will hopefully give administrators a clear understanding of sniffing problems and hopefully possible solutions to follow up with. Sniffers is one of the main causes of mass break-ins on the Internet today.

This FAQ will be broken down into:

* What a sniffer is and how it works * Where are sniffers available * How to detect if a machine is being sniffed * Stopping sniffing attacks: o Active hubs o Encryption o Kerberos o One-time password technology o Non-promiscuous interfaces


What a sniffer is and how it works

Unlike telephone circuits, computer networks are shared communication channels. It is simply too expensive to dedicate local loops to the switch (hub) for each pair of communicating computers. Sharing means that computers can receive information that was intended for other machines. To capture the information going over the network is called sniffing.

Most popular way of connecting computers is through ethernet. Ethernet protocol works by sending packet information to all the hosts on the same circuit. The packet header contains the proper address of the destination machine. Only the machine with the matching address is suppose to accept the packet. A machine that is accepting all packets, no matter what the packet header says, is said to be in promiscuous mode.

Because, in a normal networking environment, account and password information is passed along ethernet in clear-text, it is not hard for an intruder once they obtain root to put a machine into promiscuous mode and by sniffing, compromise all the machines on the net.


Where are sniffers available

Sniffing is one of the most popular forms of attacks used by hackers. One special sniffer, called Esniff.c, is very small, designed to work on Sunos, and only captures the first 300 bytes of all telnet, ftp, and rlogin sessions. It was published in Phrack, one of the most widely read freely available underground hacking magazines. You can find Phrack on many FTP sites. Esniff.c is also available on many FTP sites such as

You may want to run Esniff.c on an authorized network to quickly see how effective it is in compromising local machines.

Other sniffers that are widely available which are intended to debug network problems are:

* Etherfind on SunOs4.1.x * Snoop on Solaris 2.x and SunOs 4.1 (on ftp * Tcpdump 3.0 uses bpf for a multitude of platforms. * Packetman, Interman, Etherman, Loadman works on the following platforms: SunOS, Dec-Mips, SGI, Alpha, and Solaris. It is available on[sun4c|dec-mips|sgi|alpha|solaris2]/ [etherman-1.1a|interman-1.1|loadman-1.0|packetman-1.1].tar.Z Packetman was designed to capture packets, while Interman, Etherman, and Loadman monitor traffic of various kinds.

DOS based sniffers

* Gobbler for IBM DOS Machines * ethdump v1.03 Available on ftp * ethload v1.04 Companion utility to a ethernet monitor. Available on ftp

Commercial Sniffers are available at:

* Klos Technologies, Inc.

PacketView - Low cost network protocol analyzer

Phone: 603-424-8300 BBS: 603-429-0032

* Network General.

Network General produces a number of products. The most important are the Expert Sniffer, which not only sniffs on the wire, but also runs the packet through a high-performance expert system, diagnosing problems for you. There is an extension onto this called the "Distributed Sniffer System" that allows you to put the console to the expert sniffer on you Unix workstation and to distribute the collection agents at remote sites.

* Microsoft's Net Monitor

" My commercial site runs many protocols on one wire - NetBeui, IPX/SPX, TCP/IP, 802.3 protocols of various flavors, most notably SNA. This posed a big problem when trying to find a sniffer to examine the network problems we were having, since I found that some sniffers that understood Ethernet II parse out some 802.3 traffic as bad packets, and vice versa. I found that the best protocol parser was in Microsoft's Net Monitor product, also known as Bloodhound in its earlier incarnations. It is able to correctly identify such oddities as NetWare control packets, NT NetBios name service broadcasts, etc, which etherfind on a Sun simply registered as type 0000 packet broadcasts. It requires MS Windows 3.1 and runs quite fast on a HP XP60 Pentium box. Top level monitoring provides network statistics and information on conversations by mac address (or hostname, if you bother with an ethers file). Looking at tcpdump style details is as simple as clicking on a conversation. The filter setup is also one of the easiest to implement that I've seen, just click in a dialog box on the hosts you want to monitor. The number of bad packets it reports on my network is a tiny fraction of that reported by other sniffers I've used. One of these other sniffers in particular was reporting a large number of bad packets with src mac addresses of aa:aa:aa:aa:aa:aa but I don't see them at all using the MS product. - Anonymous


How to detect a sniffer running.

To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually.

It is also impossible to remotely check by sending a packet or ping if a machine is sniffing.

A sniffer running on a machine puts the interface into promiscuous mode, which accepts all the packets. On some Unix boxes, it is possible to detect a promiscuous interface. It is possible to run a sniffer in non-promiscuous mode, but it will only capture sessions from the machine it is running on. It is also possible for the intruder to do similiar capture of sessions by trojaning many programs such as sh, telnet, rlogin, in.telnetd, and so on to write a log file of what the user did. They can easily watch the tty and kmem devices as well. These attacks will only compromise sessions coming from that one machine, while promiscuous sniffing compromises all sessions on the ethernet.

For SunOs, NetBSD, and other possible BSD derived Unix systems, there is a command

"ifconfig -a"

that will tell you information about all the interfaces and if they are in promiscuous mode. DEC OSF/1 and IRIX and possible other OSes require the device to be specified. One way to find out what interface is on the system, you can execute:

# netstat -r Routing tables

Internet: Destination Gateway Flags Refs Use Interface default UG 1 24949 le0 localhost localhost UH 2 83 lo0

Then you can test for each interface by doing the following command:

#ifconfig le0 le0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> inet netmask 0xffffff00 broadcast

Intruders often replace commands such as ifconfig to avoid detection. Make sure you verify its checksum.

There is a program called cpm available on that only works on Sunos and is suppose to check the interface for promiscuous flag.

Ultrix can possibly detect someone running a sniffer by using the commands pfstat and pfconfig.

pfconfig allows you to set who can run a sniffer pfstat shows you if the interface is in promiscuous mode.

These commands only work if sniffing is enabled by linking it into the kernel. by default, the sniffer is not linked into the kernel. Most other Unix systems, such as Irix, Solaris, SCO, etc, do not have any flags indication whether they are in promiscuous mode or not, therefore an intruder could be sniffing your whole network and there is no way to detect it.

Often a sniffer log becomes so large that the file space is all used up. On a high volume network, a sniffer will create a large load on the machine. These sometimes trigger enough alarms that the administrator will discover a sniffer. I highly suggest using lsof (LiSt Open Files) available from for finding log files and finding programs that are accessing the packet device such as /dev/nit on SunOs.

There is no commands I know of to detect a promiscuous IBM PC compatible machine, but they atleast usually do not allow command execution unless from the console, therefore remote intruders can not turn a PC machine into a sniffer without inside assistance.


Stopping sniffing attacks

Active hubs send to each system only packets intended for it rendering promiscuous sniffing useless. This is only effective for 10-Base T.

The following vendors have available active hubs:

* Cisco * 3Com * HP



There are several packages out there that allow encryption between connections therefore an intruder could capture the data, but could not decypher it to make any use of it.

Some packages available are:

* ssh is available at .

* deslogin is one package available at ftp .

* swIPe is another package available at

* Netlock encrypts all (tcp, udp, and raw ip based) communications transparently. It has automatic (authenticated Diffie-Helman) distibuted key management mechanism for each host and runs on the SUN 4.1 and HP 9.x systems. The product comes with a Certification Authority Management application which generates host certificates (X.509) used for authentication between the hosts. and provides centralized control of each Hosts communications rules.

The product is built by Hughes Aircraft and they can be reached at 800-825-LOCK or email at



Kerberos is another package that encrypts account information going over the network. Some of its draw backs are that all the account information is held on one host and if that machine is compromised, the whole network is vulnerable. It is has been reported a major difficulty to set up. Kerberos comes with a stream-encrypting rlogind, and stream-encrypting telnetd is available. This prevents intruders from capturing what you did after you logged in.

There is a Kerberos FAQ at ftp at in /pub/usenet/comp.protocols/kerberos/Kerberos_Users__Frequently_Asked_Questions_1.11 or try:


One time password technology

S/key and other one time password technology makes sniffing account information almost useless. S/key concept is having your remote host already know a password that is not going to go over insecure channels and when you connect, you get a challenge. You take the challenge information and password and plug it into an algorithm which generates the response that should get the same answer if the password is the same on the both sides. Therefore the password never goes over the network, nor is the same challenge used twice. Unlike SecurID or SNK, with S/key you do not share a secret with the host. S/key is available on

OPIE is the successor of Skey and is available at

Other one time password technology is card systems where each user gets a card that generates numbers that allow access to their account. Without the card, it is improbable to guess the numbers.

The following are companies that offer solutions that are provide better password authenication (ie, handheld password devices):

Secure Net Key (SNK)

Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 97703-5216 USA

Phone: 415-964-0707 Fax: (415) 961-7487


Security Dynamics, One Alewife Center Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: (617) 354-8836 SecurID uses time slots as authenication rather than challenge/response.

ArKey and OneTime Pass

Management Analytics PO Box 1480 Hudson, OH 44236 Email: Tel:US+216-686-0090 Fax: US+216-686-0092

OneTime Pass (OTP): This program provides unrestricted one-time pass codes on a user by user basis without any need for cryptographic protocols or hardware devices. The user takes a list of usable pass codes and scratches out each one as it is used. The system tracks usage, removing each passcode from the available list when it is used. Comes with a very small and fast password tester and password and pass phrase generation systems.

ArKey: This is the original Argued Key system that mutually authenticates users and systems to each other based on their common knowledge. No hardware necessary. Comes with a very small and fast password tester and password and pass phrase generation systems.

WatchWord and WatchWord II

Racal-Guardata 480 Spring Park Place Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217


Arnold Consulting, Inc. 2530 Targhee Street, Madison, Wisconsin 53711-5491 U.S.A. Phone : 608-278-7700 Fax: 608-278-7701 Email: Stephen.L.Arnold@Arnold.Com CRYPTOCard is a modern, SecureID-sized, SNK-compatible device.


Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: (510)827-2593 For information about Enigma ftp to: in directory /pub/sa/safeword

Secure Computing Corporation:

2675 Long Lake Road Roseville, MN 55113 Tel: (612) 628-2700 Fax: (612) 628-2701


Non-promiscuous Interfaces

You can try to make sure that most IBM DOS compatible machines have interfaces that will not allow sniffing. Here is a list of cards that do not support promiscuous mode:

Test the interface for promiscuous mode by using the Gobbler. If you find a interface that does do promiscuous mode and it is listed here, please e-mail so I can remove it ASAP.

IBM Token-Ring Network PC Adapter IBM Token-Ring Network PC Adapter II (short card) IBM Token-Ring Network PC Adapter II (long card) IBM Token-Ring Network 16/4 Adapter IBM Token-Ring Network PC Adapter/A IBM Token-Ring Network 16/4 Adapter/A IBM Token-Ring Network 16/4 Busmaster Server Adapter/A

The following cards are rumoured to be unable to go into promiscuous mode, but that the veracity of those rumours is doubtful.

Microdyne (Excelan) EXOS 205 Microdyne (Excelan) EXOS 205T Microdyne (Excelan) EXOS 205T/16 Hewlett-Packard 27250A EtherTwist PC LAN Adapter Card/8 Hewlett-Packard 27245A EtherTwist PC LAN Adapter Card/8 Hewlett-Packard 27247A EtherTwist PC LAN Adapter Card/16 Hewlett-Packard 27248A EtherTwist EISA PC LAN Adapter Card/32 HP 27247B EtherTwist Adapter Card/16 TP Plus HP 27252A EtherTwist Adapter Card/16 TP Plus HP J2405A EtherTwist PC LAN Adapter NC/16 TP

Adapters based upon the TROPIC chipset generally do not support promiscuous mode. The TROPIC chipset is used in IBM's Token Ring adapters such as the 16/4 adapter. Other vendors (notably 3Com) also supply TROPIC based adapters. TROPIC-based adapters do accept special EPROMs, however, that will allow them to go into promiscuous mode. However, when in promiscuous mode, these adapters will spit out a "Trace Tool Present" frame.



I would like to thank the following people for the contribution to this FAQ that has helped to update and shape it:

* Padgett Peterson ( * Steven Bellovin ( * Wietse Venema ( * Robert D. Graham (robg@NGC.COM) * Kevin Martinez ( * Frederick B. Cohen ( * James Bonfield ( * Marc Horowitz (marc@MIT.EDU) * Steve Edwards ( * Andy Poling ( * Jeff Collyer ( * Sara Gordon (



This paper is Copyright (c) 1994, 1995, 1996 by Christopher Klaus of Internet Security Systems, Inc.

Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium excluding electronic medium, please ask the author for permission.


The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Address of Author

Please send suggestions, updates, and comments to: Christopher Klaus <> of Internet Security Systems, Inc. <>

Internet Security Systems, Inc.

ISS is the leader in network security tools and technology through innovative audit, correction, and monitoring software. The Atlanta-based company's flagship product, Internet Scanner, is the leading commercial attack simulation and security audit tool. The Internet Scanner SAFEsuite is based upon ISS' award-winning Internet Scanner and was specifically designed with expanded capabilities to assess a variety of network security issues confronting web sites, firewalls, servers and workstations. The Internet Scanner SAFEsuite is the most comprehensive security assessment tool available. For more information about ISS or its products, contact the company at (770) 395-0150 or e-mail at ISS maintains a Home Page on the World Wide Web at -- Christopher William Klaus ========================================================================== try Etherload (, ask archie to find it) running on a PC. It seems to be useful (only just tried it here) and it's free. Kevin ========================================================================== There's a neet little package that comes free with Microsoft SMS called Network Monitor. ==========================================================================

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:46 CDT