What is a Packet Analyzer?
Packet analyzers are used to monitor, intercept, and decode data packets as they are transmitted across networks. Packet analyzers can be computer programs (software) or hardware. Common alternative names for packet analyzers include packet sniffers, protocol analyzers, and network analyzers. The terms wireless sniffer and Ethernet sniffer are also used, depending on the type of network.
Packet sniffers have a wide range of uses in organizational IT settings. IT teams use packet analyzers to monitor and filter network traffic. Network analyzers are also valuable tools for testing protocols, diagnosing network problems, identifying configuration issues, and resolving network bottlenecks. Finally, information security teams rely on these tools to discover network misuse, vulnerabilities, malware, and attack attempts.
Packet Analyzer Attacks
Unfortunately, the capabilities of network analyzers make them popular tools for malicious actors as well. Protocol analyzer attacks typically involve a malicious party using a network sniffer in promiscuous mode. A sniffer in promiscuous mode is capable of reading all data flowing into and out of an access point on the network. Attackers abuse packet sniffers to steal unencrypted information, spy on network traffic, and gather information to leverage in future attacks against the network. Protocol analyzer attacks commonly target user logins, financial information, and emails. Connecting to insecure networks such as public or free Wi-Fi puts users at a higher risk for packet analyzer attacks, as they are easier for attackers to sniff.
In addition to simply sniffing data, protocol analyzers are often used by attackers to execute more sophisticated attacks. These attacks can include (but are not limited to):
- Spoofing attacks: Packet analyzers can be used to gather information about the users and devices connected to a network that an attacker intends to spoof.
- Session sidejacking: In this type of attack, packet sniffers are used to steal session cookies in order to impersonate other users.
- Man-in-the-middle attacks: Attackers can use network analyzers to intercept messages between two parties and then forge messages from party to party.
Preventing Packet Analyzer Attacks
There are a few steps that all enterprises should take to ensure that they are protected from attacks that utilize protocol analyzers. For starters, secure protocols should be used whenever possible to ensure that data is encrypted before being transmitted across a network. Examples of secure protocols include HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH). If an insecure protocol must be used, the organization can still protect its network from packet sniffer attacks by using encryption software prior to transmitting data.
In addition to using secure protocols and encrypting data, organizations should optimize their network structure to defend against attacks that use network analyzers. It is recommended that networks are built with switch technology (rather than hub technology) whenever possible. After receiving a message, a switch will transmit that message only to its intended recipient, whereas a hub transmits the messages it receives across the entire network. This feature makes switches inherently more secure than hubs, particularly for preventing packet analyzer attacks.
Another strong option for preventing packet sniffer attacks is utilizing remote computing technology to ensure that all data is encrypted before being transmitted across a network. This method is especially effective in preventing wireless sniffers. VPN (Virtual Private Network), VNC (Virtual Network Computing) Protocol, and RDP (Remote Desktop Protocol) are common examples of programs that provide encrypted remote computing. Using a remote computing program in combination with the methods discussed above will bolster network security by adding multiple layers of encryption.
Finally, an organization looking to protect itself against protocol analyzer attacks should regularly sniff its own networks using wireless sniffer software. Doing so allows the organization to view its network from an attacker’s perspective in order to discover sniffing attack vulnerabilities and attacks in progress.
Tools for Detecting Malicious Packet Analyzers
Packet analyzer software frequently includes tools for detecting intrusion attempts and hidden networks. In addition to built-in utilities, there are many commercially available technologies designed to detect malicious protocol analyzers. These tools typically work by monitoring network traffic and scanning for network cards in promiscuous mode. There are a myriad of programs available that do this, so it is up to security teams to determine the best software for their needs.