hi fellows. We are running squid as a proxy server having almost 170 users.The clients are using windows and after observing more than once there are some users that are sniffing on the network using maybe some sort of sniffing tool. Now can any body recommend some anti sniffing tool that can help us in detecting that culprit. Any software linux or windows based will help
I have tried wireshark if someone recommends that then please give some detailed tutorial on wireshark.

The problem you face is that sniffing tools, including Wireshark, are generally passive and unless they engage in some sort of active process, I don't know how you would find them by looking at network traffic. In essence, all that these programs do is monitor what is already on the wire and report it to the user. The inherent failing is in assuming that anything that is on the wire is confidential. This leads me to the question of how did you determine that:
Most places that I have worked, use auditing software to automatically scan and report what applications are installed on the systems under their control and can then watch for applications like Wireshark.

Now if someone is actively scanning and probing, you could use a program like Wireshark to capture this information. However, I think a more appropriate tool would be a form of HIDS, like snort, which will look at the traffic and generate alerts on suspicious packets. These kinds of tools generate a lot of false positives, so you would need to tread very lightly in investigating what alerts you get.

1 members found this post helpful.

It would have to be a HIDS to detect this (or as Noway2 stated, an auditing package that will report unauthorized software usage).

A HIDS is usually an agent running on a machine (usually a high value target such as a financial database). The HIDS mainly looks at system logs for intrusions, intrusion attempts, or anomalies. It may well look at network traffic but only to/from that particular machine (most HIDS that I know of do not sniff network traffic). For the record, snort has no HIDS capability, although it can function as an IPS (there's a difference).

1 members found this post helpful.

Just out of curiosity, what exactly is it that leads you to believe users are sniffing traffic? How did you detect it?

@unixfool, thank you for the correction. I meant to say NIDS, not HIDS.

I remember scanning for hosts where the NIC was in promiscuous mode several years back. I don't recall what tool I used at the time, as that was probably before the advent of nmap developing NSE. There was another tool available then, and with some research, I imagine someone could find alternative methods.

With that in mind, nmap's NSE (Nmap Scripting Engine) can provide a list of systems where the NICs are in promiscuous mode.

A basic description can be found here.

Something to keep in mind is that when this is run, you should be root. I ran it without superuser privileges, and found the results did not return any NICs in promiscuous mode, nor did nmap complain about lacking permissions, either. There are potential complications where certain equipment can cause issues in the results, but the main one I saw mentioned was in reference to hubs.

I would not recommend using the 'T5' (insane) flag. I saw some rather strange, and inaccurate, results.

I began to wonder what tool(s) I might have been using ten years ago, and did some searches. It seems this particular realm of software has a range of various offerings available in the past but most appear now abandoned. Plenty of dead domains and dead URL links are found in these searches.

If you have an environment where common users have the ability to install software you're going to have problems such as these. In addition to that, if they don't have the ability to install software, then I'd be concerned these systems have been compromised. Either way, you're somewhat backing into the issue as there is software running within your network that I would consider dangerous in any environment if you do actually have sniffers running there. Looks like a good time to review your policies.

1 members found this post helpful.

devwatchdog, good comment about scanning for hosts with NICs in promiscuous mode! I'd thought about that but wasn't aware of tools that did that. I also wasn't aware that nmap is now capable of doing that.

OP, I just saw this which mentioned this. These links might help also, along with nmap that devwatchdog mentioned.

Err, ok
http://www.linux-mag.com/id/7896/2/
http://www.linux-mag.com/id/7900?hq_...q_v=b2bc34a65e
http://searchsecurity.techtarget.com...ity+Tactics%29

(I like wireshark because it seems easy for a dummy like me to understand....YMMV, but I doubt that you'll find another tool of this kind that has an easier initial leaning curve.)

I note that you haven't answered (@OlRoy)
Is this a wired or a wireless network? And given that, as has been commented, sniffers are passive, they generally don't give you any evidence, except on the screen of the computer concerned, something exact about what you have seen would be nice.

I don't know what that would be; if the traffic goes to their network interface, then the only way that you can stop them doing what they like with that data is to control what programs they can run on their computers. Do you have that level of control? Of course, in most network architectures, you don't see all of the network traffic out at workstation, so, in the usual case, this doesn't turn into a problem.

You're going to have a difficult time detecting a passive packet sniffer.

Your anti-sniffing tool is called TLS.