Developing a Sniffer Detector for Windows Operating Systems

Abstract

This paper presents the design and implementation of a sniffer detector system which can be used to detect any host running a sniffer on an Ethernet network. The proposed detection system is based on two effective detection techniques: the ARP (Address Resolution Protocol) detection technique and the Three-way Handshaking detection technique. The first technique, the ARP detection, attempts first to send trap ARP request packets with faked hardware addresses, to a suspicious sniffing host. Then, based on the generated responses of the suspicious sniffing host, a decision is made on whether or not the suspicious host is running a sniffer. In case of no response the second technique, the Three-way Handshaking detection, is used to detect active sniffer which did not respond to the first technique by sending trap TCP-SYN packets with faked IP address, to a suspicious sniffing host. Based on the generated responses of the suspicious host, a decision is made on whether or not it is running a sniffer. The two techniques are implemented in a system that automatically gives the system administrator a helping hand regarding the detection of sniffers on an Ethernet network. The proposed system is tested in comparison with three other available anti-sniffers (L0pht AntiSniff, PromiScan, and PromiscDetect). The results showed its enhanced performanc