A "network analyzer" (also called a sniffer), is a device that makes it possible to "monitor" a network's traffic, that is, to capture information circulating on that network.
On an unswitched network, data are sent to all of the network's machines. Yet under normal use, machines ignore packets that are not addressed to them. As such, by using the network interface in a specific mode (generally called promiscuous mode), it is possible to monitor all of the traffic passing through a network adapter (an Ethernet network card, a wireless network card, etc.).
Use of the sniffer
A sniffer is an impressive tool that makes it possible to monitor a network's traffic. It is generally used by administrators to diagnose problems on their network and to find out about the traffic circulating on the network. Intrusion detection systems (IDS) are based on a sniffer to capture packets, and use a rules database to detect suspicious packets.
Unfortunately, like all administration tools, the sniffer can also be used by malicious individuals having physical access to the network to gather information. This risk is even higher on wireless networks since it is hard to confine radio waves to a limited area, so malicious persons can monitor traffic just by being in the neighborhood.
The vast majority of Internet protocols convey information that is unscrambled, that is, that is not encrypted. Therefore, when a network user consults his messages via the POP or IMAP protocol or surfs the Internet on sites whose addresses do not start with HTTPS, all of the sent or received information can be intercepted. This is how specific sniffers have been developed by hackers in order to retrieve passwords circulating on networks.
There are several ways to protect yourself from troubles that could arise due to the use of a sniffer on your network:
- Use encrypted protocols for all communications with highly confidential content.
- Segment the network to limit the spread of information. It is particularly preferable to use switches instead of hubs since they switch communications, which means that information is delivered only to the machines it is intended for.
- User a sniffer detector. This is a tool that probes the network looking for hardware using promiscuous mode.
- For wireless networks you are advised to reduce the power of your hardware so as to cover only the necessary surface area. This will not keep potential hackers from monitoring the network but will limit the geographic area where they can operate.