Developing a Sniffer Detector for Windows Operating Systems
Keywords:
Sniffers, Promiscuous Mode, Address, Resolution Protocol, Anti-SniffersAbstract
This paper presents the design and implementation of a sniffer detector system which can be used to detect any host running a sniffer on an Ethernet network. The proposed detection system is based on two effective detection techniques: the ARP (Address Resolution Protocol) detection technique and the Three-way
Handshaking detection technique. The first technique, the ARP detection, attempts first to send trap ARP request packets with faked hardware addresses, to a
suspicious sniffing host. Then, based on the generated responses of the suspicious sniffing host, a decision is made on whether or not the suspicious host is running a sniffer. In case of no response the second technique, the Three-way Handshaking detection, is used to detect active sniffer which did not respond to the first technique by sending trap TCP-SYN packets with faked IP address, to a suspicious sniffing host. Based on the generated responses of the suspicious host, a decision is made on whether or not it is running a sniffer. The two techniques are implemented in a system that automatically gives the system administrator a helping hand regarding the detection of sniffers on an Ethernet network. The proposed system is tested in comparison with three other available anti-sniffers (L0pht AntiSniff, PromiScan, and PromiscDetect). The results showed its enhanced performance
Downloads
Downloads
Published
Issue
Section
License
The authors retain the copyright of their manuscript by submitting the work to this journal, and all open access articles are distributed under the terms of the Creative Commons Attribution-NonCommercial 4.0 International (CC-BY-NC 4.0), which permits use for any non-commercial purpose, distribution, and reproduction in any medium, provided that the original work is properly cited.
