Security tool - SwitchSniffer

Pawel Charnas

System: Windows NT4/2000/XP/2003

Licence: Freeware

Application: LAN monitoring

Website: http://www.nextsecurity.net

SwitchSniffer is a simple freeware utility for monitoring local area networks, also equipped with basic administration and abuse detection features.

Quickstart: Suppose you have a new job as network administrator for a small trading company. The CEO has asked you to detect which employees are using instant messaging and peer-to-peer applications instead of working. You have a Windows workstation at your disposal, the company network is switch-based and no commercial penetration testing tools have been purchased, so you decide to use a freeware utility called SwitchSniffer, intended for sniffing on switched networks.

Running the program requires administrator privileges, otherwise it might be unstable. When you first run the application, you will be presented with an options screen. In the Network tab, select the network interface to listen on. It’s also a good idea to open the Spoof tab and set Spoofing Types to <-> Gateway - for some networks, this is required for sniffing to work correctly.

Click Scan to start scanning the local network. The program does this quickly and efficiently, detecting all active hosts in your network segment - you can see them in the Local Hosts Info list and in the Up Hosts tree. Next, expand the latter tree, right-click it and choose Select All from the context menu to make sniffing apply to all active hosts. Press Start and the program will start capturing network traffic.

The Local Hosts Info tab provides information about hosts within the local network. Information provided by SwitchSniffer includes the operating system, host name, IP, MAC and network adapter manufacturer. You can also see the total size of downloaded packets and the download and upload speeds. SwitchSniffer can also monitor the intensity of host network usage, providing us with an indication of which employees are messing about on the Internet instead of working. The Remote Hosts Info tab provides information on hosts in other network segments, while Sessions Info contains information on current sessions. The Local, Remote and Services tabs in the left-hand panel contain trees for local hosts, remote hosts and services, respectively.

Now to satisfy the CEO’s request. Open the Services tab in the left-hand panel. Now you can locate suspicious services (for example typical IM ports, such as gg(8074), jabber-client(5223)), expand the remote hosts tree for a given service and then expand the local hosts tree next to the remote host address - and there you have the culprits wanted by the manager.

Other useful features: The program supports blocking for selected sessions and connections using options available from the context menu. This means you can not only examine services, but also control which services are permitted - in the Definitions tab you can define permitted services and MACs, as well as review traffic filtering rules. SwitchSniffer also provides ARP spoofing detection capabilities (the Detect and Alert tab in program options).

Disadvantages: The program is much simpler than dsniff or Ettercap. Only a beta version is currently available, so stability issues are also likely. On the up side, the application is much easier to use than similar utilities, especially for less experienced administrators.

Pawe� Charnas