Developing a Sniffer Detector for Windows Operating Systems


This paper presents the design and implementation of asniffer detector system which can be used to detect anyhost running a sniffer on an Ethernet network. Theproposed detection system is based on two effectivedetection techniques: the ARP (Address ResolutionProtocol) detection technique and the Three-wayHandshaking detection technique. The first technique,the ARP detection, attempts first to send trap ARPrequest packets with faked hardware addresses, to asuspicious sniffing host. Then, based on the generatedresponses of the suspicious sniffing host, a decision ismade on whether or not the suspicious host is running asniffer. In case of no response the second technique, theThree-way Handshaking detection, is used to detectactive sniffer which did not respond to the firsttechnique by sending trap TCP-SYN packets with fakedIP address, to a suspicious sniffing host. Based on thegenerated responses of the suspicious host, a decision ismade on whether or not it is running a sniffer. The twotechniques are implemented in a system thatautomatically gives the system administrator a helpinghand regarding the detection of sniffers on an Ethernetnetwork. The proposed system is tested in comparisonwith three other available anti-sniffers (L0pht AntiSniff,PromiScan, and PromiscDetect). The results showed itsenhanced performance.