While they may sound like pooches you’d spot at the airport security line, packet sniffers are in fact tools that can be used to view and capture communications on a wired or wireless network.
Like most technologies, packet sniffers can be used legitimately by an agency’s IT team to monitor network traffic, or they can be used by outside forces to potentially spy on and collect sensitive agency data, like cookies or login details.
What are Packet Sniffers and How Do They Work?
Also known as packet analyzers, the sniffers grab raw data from networks and are often used with protocol analyzers that can translate the data into something readable.
“If someone was trying to look at the communications over a particular network, maybe between two different hosts, the packet sniffers could be used to see if the traffic is coming through OK,” says Karen Scarfone, principal consultant for Scarfone Cybersecurity.
Sniffers are often used to ensure security when monitoring traffic coming in and out of a network. That’s one of the ways that the state of Louisiana’s IT department uses the technology, says CISO Dustin Glover, who notes that during the state’s current IT modernization it is building in ways to inspect all traffic coming in and going out of its network to ensure none of it is malicious or dangerous.
“The most common use case on the inbound traffic is what’s called a web application firewall. For you to see attacks or attempted attacks, or an attempted overflow of inputs, you would need an application firewall piece to break down that encrypted packet, look at it, process it, see if it meets any of the common attack signatures before you would allow it inbound to your application,” says Glover. “From there it’s sort of this boundary layer where you would perform the inspection and re-encrypt the packet and send it on to your application.”
The same process is applied on the way out. In order to prevent data loss, Glover says the state looks at all outgoing traffic in order to log where all the information is heading.
“Most commonly we use a proxy positioned in the network in order to funnel all traffic through a solution that will secure the transmission up until that point, and then it will do the sniffing — the inspection — on that box, and then it will re-secure and allow the traffic on its way,” says Glover.
But an agency should have more than one solution in place to ensure there is a robust and diverse infrastructure to monitor traffic, he notes.
Beyond cybersecurity, agencies can use packet sniffers to analyze performance and troubleshoot network issues, but from a security perspective, an agency needs to be mindful about deploying the tools.
“You have to be careful about how you take your secure traffic … and mirror it off in an unsecured manner. That could be a problem for an organization because they’re essentially taking all of the data that they are trying to protect and putting it aside in raw form but away from its protection mechanisms,” says Glover.
For that reason, Louisiana, at least, doesn’t use packet sniffers to analyze performance or troubleshoot issues at this time.
What Packets Are Typically Sniffed?
While packet sniffers can help an organization ensure security, they can also be used to spy on an organization’s unencrypted data. According to Colasoft, a company that provides network performance monitoring and diagnostics, while packet sniffers can see almost anything that is unencrypted on a network, the software typically sniffs the following types of traffic:
- SMTP, POP, IMAP traffic — allows the intruder to read email.
- POP, IMAP, HTTP Basic, Telnet authentication —reveals passwords in plain text.
- SMB, NFS, FTP traffic — allows intruders to read traffic “off the wire.”
- SQL database — provides hackers with the ability to read financial transactions and credit card numbers.
How to Detect a Packet Sniffer to Avoid Threats
By taking a few steps to protect data and networks, agencies can prevent sensitive data from being captured by outside sources.
“Packet sniffers are still widely used by hackers and are built in to malware and attack toolkits, and they are used to harvest packets especially in environments that don’t follow recommended practices,” says Scarfone, noting that the main risk for now from packet sniffers is eavesdropping on wireless networks.
But there are methods to mitigate “sniffing” and pair communications in ways that can reduce the scenario that would allow someone to capture and inspect a packet.
The first major step is to encrypt data.
“Assume that every network is untrusted and encrypt all the information that goes over those networks,” says Scarfone. “If the information is encrypted, the packet sniffer can see that there is communication going from point A to point B, but it doesn’t know anything about it. That doesn’t give the information too much value.”
Beyond encryption, organizations should also make sure that their network traffic is validated.
“The way that organizations use this to analyze and mitigate risk is the exact same path that the attacker takes to gain access to information that they wouldn’t natively have access to,” says Glover. "[This] is taking a computer and forcing it to send traffic to a central processing system that isn’t the site they’re visiting and forcing the computer to trust what they have been connected to."
While an enterprise with configuration management over all computers can securely validate certificates, this doesn’t translate to outside networks, which is why users should look to be cautious around unsecured networks.
“People using unencrypted Wi-Fi in coffee shops, for example: If they aren’t ensuring that their packets are encrypted, their packets are going through the air unencrypted and it is trivially easy to set up a laptop to just sniff those packets and capture them,” says Scarfone.
For this reason, when working in a coffee shop or on another unsecured network, users should be extremely mindful not to accept any pop-ups or ignore a warning from a web browser about SSL certificates or potentially malicious sites.
Glover also notes that, nowadays, cloud providers can offer low-cost, robust web application firewalls that include inspections through their cloud-services load balancing and allow IT teams to inspect traffic.
“There are lots of cloud options out there that agencies can leverage that can proxy the traffic for them, and it wouldn’t require the investment in the infrastructure, and they have it set up from a subscription standpoint,” says Glover. “You can absolutely prevent it from happening. You just have to make sure that you have built protections into your systems and services.”