Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi fellows. We are running squid as a proxy server having almost 170 users.The clients are using windows and after observing more than once there are some users that are sniffing on the network using maybe some sort of sniffing tool. Now can any body recommend some anti sniffing tool that can help us in detecting that culprit. Any software linux or windows based will help
I have tried wireshark if someone recommends that then please give some detailed tutorial on wireshark.
The problem you face is that sniffing tools, including Wireshark, are generally passive and unless they engage in some sort of active process, I don't know how you would find them by looking at network traffic. In essence, all that these programs do is monitor what is already on the wire and report it to the user. The inherent failing is in assuming that anything that is on the wire is confidential. This leads me to the question of how did you determine that:
Quote:
after observing more than once there are some users that are sniffing on the network using maybe some sort of sniffing tool.
Most places that I have worked, use auditing software to automatically scan and report what applications are installed on the systems under their control and can then watch for applications like Wireshark.
Now if someone is actively scanning and probing, you could use a program like Wireshark to capture this information. However, I think a more appropriate tool would be a form of HIDS, like snort, which will look at the traffic and generate alerts on suspicious packets. These kinds of tools generate a lot of false positives, so you would need to tread very lightly in investigating what alerts you get.
It would have to be a HIDS to detect this (or as Noway2 stated, an auditing package that will report unauthorized software usage).
A HIDS is usually an agent running on a machine (usually a high value target such as a financial database). The HIDS mainly looks at system logs for intrusions, intrusion attempts, or anomalies. It may well look at network traffic but only to/from that particular machine (most HIDS that I know of do not sniff network traffic). For the record, snort has no HIDS capability, although it can function as an IPS (there's a difference).
The clients are using windows and after observing more than once there are some users that are sniffing on the network using maybe some sort of sniffing tool.
Just out of curiosity, what exactly is it that leads you to believe users are sniffing traffic? How did you detect it?
I remember scanning for hosts where the NIC was in promiscuous mode several years back. I don't recall what tool I used at the time, as that was probably before the advent of nmap developing NSE. There was another tool available then, and with some research, I imagine someone could find alternative methods.
With that in mind, nmap's NSE (Nmap Scripting Engine) can provide a list of systems where the NICs are in promiscuous mode.
Something to keep in mind is that when this is run, you should be root. I ran it without superuser privileges, and found the results did not return any NICs in promiscuous mode, nor did nmap complain about lacking permissions, either. There are potential complications where certain equipment can cause issues in the results, but the main one I saw mentioned was in reference to hubs.
I would not recommend using the 'T5' (insane) flag. I saw some rather strange, and inaccurate, results.
I began to wonder what tool(s) I might have been using ten years ago, and did some searches. It seems this particular realm of software has a range of various offerings available in the past but most appear now abandoned. Plenty of dead domains and dead URL links are found in these searches.
If you have an environment where common users have the ability to install software you're going to have problems such as these. In addition to that, if they don't have the ability to install software, then I'd be concerned these systems have been compromised. Either way, you're somewhat backing into the issue as there is software running within your network that I would consider dangerous in any environment if you do actually have sniffers running there. Looks like a good time to review your policies.
devwatchdog, good comment about scanning for hosts with NICs in promiscuous mode! I'd thought about that but wasn't aware of tools that did that. I also wasn't aware that nmap is now capable of doing that.
OP, I just saw this which mentioned this. These links might help also, along with nmap that devwatchdog mentioned.
(I like wireshark because it seems easy for a dummy like me to understand....YMMV, but I doubt that you'll find another tool of this kind that has an easier initial leaning curve.)
Quote:
Originally Posted by aliabbass
...having almost 170 users.The clients are using windows and after observing more than once there are some users that are sniffing on the network using maybe some sort of sniffing tool.
I note that you haven't answered (@OlRoy)
Quote:
Just out of curiosity, what exactly is it that leads you to believe users are sniffing traffic? How did you detect it?
Is this a wired or a wireless network? And given that, as has been commented, sniffers are passive, they generally don't give you any evidence, except on the screen of the computer concerned, something exact about what you have seen would be nice.
Quote:
...some anti sniffing tool...
I don't know what that would be; if the traffic goes to their network interface, then the only way that you can stop them doing what they like with that data is to control what programs they can run on their computers. Do you have that level of control? Of course, in most network architectures, you don't see all of the network traffic out at workstation, so, in the usual case, this doesn't turn into a problem.
The clients are using windows and after observing more than once there are some users that are sniffing on the network using maybe some sort of sniffing tool. Now can any body recommend some anti sniffing tool that can help us in detecting that culprit.
You're going to have a difficult time detecting a passive packet sniffer.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.