Detecting a packet sniffer on an IPV6-enabled Linux system

By Rainer Wichmann rainer@nullla-samhna.de    (last update: Oct 30, 2004)

Almost everything that you ever wanted to know about packet sniffers can be found in the Sniffing FAQ [http://newdata.box.sk/2001/jan/sniffing-faq.htm]. Here I will just focus on the following point: sniffer detection on an IPV6-enabled Linux system.

What is a packet sniffer ?

A packet sniffer is a program or a device that eavesdrops on the network traffic. Sometimes such wiretaps are carried out by the network administration for beneficial purposes (like intrusion detection, performance analysis, ...). On the other hand, malicious intruders may install packet sniffers in order to retrieve clear-text usernames and password from the local network. Vulnerable protocols (with clear-text passwords) include: telnet, pop3, imap, ftp, smtp-auth and nntp.

How can I detect a packet sniffer ?

To be useful for an intruder, a packet sniffer must put the network interface into promiscuous mode. That means, while normally it will receive only packets addressed to itself, in promiscuous mode it will listen to all packets on the wire, including packets that are sent from other hosts to other hosts (if they pass through the wire where the interface is listening).

Obviously, the preferred method to detect a sniffer would be to check whether the network interface is in promiscuous mode. So I started ntop [http://www.ntop.org/], and found in my log files the following entry:

    kernel: device eth0 entered promiscuous mode
    

Of course, an intruder would just delete that line, so I went on to detect that the device is in promiscuous mode.

Failed: ifconfig -a

Invariably, the first advice is to use ifconfig -a, which should, among other device flags, print out the PROMISC flag, like this:

      UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
      

Unfortunately, in the output of ifconfig -a, there was no such flag ! The respective line was:

      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      
Failed: cpm

cpm [ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/cpm/] is a simple tool to determine whether an interface is in promiscuous mode. I needed to comment out the following two lines in cpm.c:

      #include <sys/mbuf.h>
      #include <sys/map.h>
      

then it compiled fine. Unfortunately, it did not detect the promiscuous state of the network interface.

Failed: ifstatus

ifstatus [ftp://andrew.triumf.ca/pub/security/ifstatus2.0.tar] is another small utility to detect a promiscuous interface. It compiled fine, but again, this tool did not detect the promiscuous state of the network interface.

Failed: chkrootkit

chkrootkit [http://www.chkrootkit.org/] is a popular utility to detect rootkits, and includes a check to detect whether a network interface is in promiscuous mode. It seemed to detect the promiscuous mode:

      PROMISC mode detected in one of these interfaces: eth0 sit0
      

However, upon closer inspection, I discovered the following: detection is done by (a) the included ifpromisc utility, and (b) a small shell script fragment in the chkrootkit main script. Method (a) always failed, and method (b) always claimed that the interface was in promiscuous mode, regardless whether it was or not. Obviously, also chkrootkit was completely useless.

Inconclusive: sentinel

sentinel [http://www.packetfactory.net/Projects/sentinel/] is a tool for the remote detection of a sniffer / a network interface in promiscuous mode. It provides several different tests. Some of them had consistently negative results, others had consistently positive results for machines where no sniffer was running. If this is useful at all, it would require extensive testing to find out which of the provided tests would reliably detect a sniffer.

Inconclusive: sniffdet

sniffdet [http://sniffdet.sourceforge.net/] is another tool for the remote detection of a sniffer, and apparently has the same problems as sentinel.

Works: kstat 1.1-2

kstat (v1.1-2) [http://www.s0ftpj.org/en/site.html] is a swiss-army knife to check for kernel rootkits. It collects information directly from the kernel (by reading from /dev/kmem) and was the only tool that correctly and reliably determined whether the interface is in promiscuous mode or not.

The only minor drawback is that it did not compile out-of-the-box; I needed to comment out some of the tests in src/netproto.c, and also needed to fix a line in the Makefile:
$(CC) -c $(SRC)knull.c should be
$(CC) -I/lib/modules/`uname -r`/build/include -c $(SRC)knull.c

Works: ifstat

ifstat is (only) that part of kstat (see above) that checks for promiscuous mode of a network interface. It has been modified to compile as a standalone application, and also to automatically check all interfaces, if no specific one is given as command line argument.

Works: /sbin/ip

ip called as ip link show will show the PROMISC flag if the interface is in promiscuous mode:

      eth0:  mtu 1500 qdisc pfifo_fast qlen 100
      

So what was/is the problem ?

Upon inspection of the kstat source and the source of some other tools, it seems that for IPV6, the PROMISC flag is handled differently, and stored in another place, than for IPV4. It looks as if most tools are only suitable for IPV4, and are not capable of detecting a promiscuous network interface if a IPV6-enabled sniffer is used on a system with an IPV6-enabled kernel.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Germany License.