AntiSniff is a Graphical User Interface (GUI) driven tool for detecting promiscuous Network Interface Cards (NICs) on your local network segment. AntiSniff was designed to be run in two ways. First, for a "spot check" to quickly identify wh at machines on a local network segment are most worthy of further investigation. Second, AntiSniff may be run on a continual basis, scanning the network at scheduled intervals, comparing host test responses over time and setting off alarms based on user- defined events surrounding those test responses.

AntiSniff is an Microsoft Windows based product that will run on Windows 95/98 and NT. While AntiSniff may run on Windows 95/98, Windows NT is the recommended platform. Please refer to the FAQ for the latest recommendations on what platforms are supp orted. The user is presented with a series of 5 tabs through which they progress (from left to right) in using the product. The user invokes the application, sets up network parameters, sets up scan test parameters, executes the scan, generates reports and sets alarm thresholds. By following this series of steps, the user can be alerted to machines which are found in promiscuous mode by reviewing reports or being notified with local alarms, email and subsequently text pagers (that have an email address ).

To start AntiSniff, go to the Start menu, Program Files, and single click on the AntiSniff icon. AntiSniff will be launched and a splash screen will announce its invocation.

AntiSniff will by default, initialize with an "UNTITLED" AntiSniff Session (.ass) file which will load a default set of configuration values. AntiSniff may be initialized with configuration information and data provided by an .ass file passe d to AntiSniff as a parameter during startup. AntiSniff Sessions may also be loaded through the "Open Session" menu item off "File" on the main menu.

There are two network components to configure. The first is host related and is used for specifying a machine or range of machines to run the tests against. The second component is related to your machine’s network interface.

Address radio button – Use this radio button to indicate that an address or address range is used to indicate target machine(s) instead of a Host/Network list.

Start Address field – Populate this field to scan a single machine. For a range of machines, fill in the first machine's IP address in that range.

Range checkbox – Use this checkbox to scan multiple machines if specifying a 'range' of IP addresses rather than specifying hosts from a Host/Network list (file).

End Address field - When scanning a range of machines, fill in the "End Address" field (this value works in conjunction with the 'range' checkbox.

Host/Network List radio button - Use this button to specify machines to be scanned from a file of hostnames or IP addresses.

Host/Network List text box - Use this box to specify what file to use for specifying machines. This box will automatically be populated if you use the "browse" button located to the right of the text box to select a file. Host/Network List files are formatted as a single column of hostnames, ip addresses or address ranges formated as from:to. These values may be mixed within a single file such that the following example entries are all valid:

172.19.1.1

contractor1

miscreant.my.net

ntgateway.my.net

172.16.0.0:172.16.255.254

Interface picklist - This picklist is used to specify which network interface to use. The picklist is derived from all network interfaces on the scanning machine as configured in the control panel.

Network Speed text display - This value is automatically derived from the selected network interface and indicates the network interface speed.

Network Type text display - This value is automatically derived from the selected network interface and indicates the type of network interface.

Bogus MAC Address text box - This field is used to specify what MAC (Medium Access Control) address to use when performing tests which flood the target host(s) with traffic they should not see unless they are sniffing. The suggested value for this field is 66:66:66:66:66:66 as this does not map to any current vendor code and is not a multicast or broadcast address (the second hex digit, reading from the left, is even). Please note that using broadcast or multicast addresses might present unw anted effects.

Bogus IP Addresses text boxes - There are two fields to fill in bogus IP addresses to be used in the tests. These IP addresses should be two different IP addresses that would not be seen on the network segment AntiSniff is running on. These IP addresses are used as bogus source (src) and destination (dst) addresses for certain tests. For more information on how these are used by the tests, see the <a href="http://www.l0pht.com/antisniff/tech-paper.html">AntiSniff Technical O verview</a>. The recommended values for these text boxes are 1.1.1.1 and 1.1.1.2.

There are currently 6 tests which may be configured to run or not run. Some of these tests also include additional parameters specific to the given test (for instance, the number of packets to use for the test). Some tests produce data points (respon se times) over a period of time which are analyzed for deltas whereas other tests simply generate TRUE/FALSE output data points. This tab is also used to configure other attributes of the scan including logging of output, scheduling and data point retent ion.

Detection Tests pane

DNS Test checkbox - Check this box to include the DNS test in the scan. For further details on the DNS test itself, see the DNS Tests section of the <a href="http://www.l0pht.com/antisniff/tech-paper.html">AntiSniff Technical Overview</a>.

ARP Test checkbox - Check this box to include the Address Resolution Protocol (ARP) test in the scan. For further details on the ARP test itself, see the Windows 95,98,NT Host Specific section of the <a href="http://www.l0pht.com/anti sniff/tech-paper.html">AntiSniff Technical Overview</a>.

Ether Ping Test checkbox - Check this box to include the Ether Ping test in the scan. For further details on the Ether Ping test itself, see the Linux and NetBSD Host Specific section of the <a href="http://www.l0pht.com/antisniff/tec h-paper.html">AntiSniff Technical Overview</a>.

ICMP Time Delta Test checkbox - Check this box to include the ICMP Time Delta test in the scan. All four phases of the ICMP Time Delta test are enabled through this checkbox and are not independently configurable. For further details on the ICMP Time Delta test itself, see the Network and Machine Latency Tests section of the <a href="http://www.l0pht.com/antisniff/tech-paper.html">AntiSniff Technical Overview</a>.

Number of Packets text box - Use this box to indicate the number of packets to be used in the ICMP Time Delta Test. The suggested value is 20 packets based on the assumption that the goal is to scan a class C network in a reasonable (not ove rnight) amount of time. Increasing this value will increase the accuracy of the test at the expense of time to run the test. Decreasing this value will shorten the scan time for the test at the expense of accuracy.

Echo Test checkbox - Check this box to include the Echo test in the scan. All four phases of the Echo test are enabled through this checkbox and are not independently configurable. The Echo test is only relevant for hosts running the Echo se rvice. For further details on the Echo test itself, see the Network and Machine Latency Tests section of the <a href="http://www.l0pht.com/antisniff/tech-paper.html">AntiSniff Technical Overview</a>.

Number of Packets text box - Use this box to indicate the number of packets to be used in the Echo Test. The suggested value is 20 packets based on the assumption that the goal is to scan a class C network in a reasonable (not overnight) amo unt of time. Increasing this value will increase the accuracy of the test at the expense of the time to run the test. Decreasing this value will shorten the scan time for the test at the expense of accuracy.

Ping Drop Test checkbox - Check this box to include the Ping Drop test in the scan. Both phases of the Ping Drop test are enabled through this checkbox and are not independently configurable. For further details on the Ping Drop test itself, see the Network and Machine Latency Tests section of the <a href="http://www.l0pht.com/antisniff/tech-paper.html">AntiSniff Technical Overview</a>.

Number of Packets text box - Use this box to indicate the number of packets to be used in the Ping Drop Test. The suggested value is 200 packets based on the assumption that the goal is to scan a class C network in a reasonable (not overnigh t) amount of time. Increasing this value will increase the accuracy of the test at the expense of the time to run the test. Decreasing this value will shorten the scan time for the test at the expense of accuracy.

Log Test Text Output

Log Test Text Output checkbox - Use this box to log output from the "Scan Progress" scrolling text window to a file.

Logfile text box - Use this box to specify what file to use for logging output from the test output. This box will be automatically populated if you use the file browser button located to the right of the text box.

Schedule pane

The AntiSniff session's Schedule does not interface with any job scheduling software. It is simply a schedule on which a scan will initiate the enabled tests to capture new data points. Thus, not only must AntiSniff be running but a scan must be st arted to observe this schedule.

Schedule radio buttons - Select one button to select a schedule:

• Now radio button - Will run now, once.
• Continuously radio button - Will run continuously.
• Wait text box - Use this box to indicate the number of seconds to wait between scans.
• Hourly radio button - Will run every hour, on the hour.
• Daily radio button - Will run every day at the time specified.
• Time control - Use this control to indicate the time of day to run daily or weekly.
• Weekly radio button - Will run every week at the day and time specified.
• Date control - Use this control in conjunction with the time control above to pick the day (and time) to run weekly.

Many of AntiSniff’s capabilities to detect NICs in promiscuous mode depend on long term trending of data points and variances from standard deviations. For this reason, AntiSniff stores data for a given "session" right along with the configu ration information in AntiSniff Session files (.ass files). Storage of data points may cause AntiSniff Session files to grow considerably. For this reason, AntiSniff gives you the ability to manage the number of data points retained for analysis. As th e threshold is reached, the oldest data points for the given AntiSniff Session are thrown away. Maximum Number of Data points text box - Use this box to indicate the maximum number of data points that will be stored for reporting purposes. This n umber should be at least 10 times the number of machines you will be scanning.

Once network and scan configurations have been selected, scans may be initiated by selecting "Tools" off the main menu, then selecting "Start Scan". The scan may also be initiated from the Toolbar by pressing the blue "play" button.

Running the scan will bring you to the "Scan Progress" tab.

Scan progress may be monitored on the "Scan Progress" tab. The machine being scanned is identified at the top of the tab as "Currently Testing:". Text messages are displayed below this, indicating what tests are run, what phase of the test they are performing, the machine being tested, the test validity and other test-specific data such as packets sent, packets received, average response time (in ms), machine reported, promiscuous count, etc... This output is also logged to a file depending on the "Log to file" setting on the "Configure Scan" tab.

Along the bottom of the screen, additional information is displayed including "Total Hosts" and "Hosts Tested" as well as a "Overall Progress" bar. Progress is updated per machine.

Once at least one testing session has been fully run (one set of data points collected), the "Report Generation" tab may be used to view more meaningful results on a machine by machine basis. The "Report Generation" tab is divided into three panes: u pper pane for tabular data, lower left pane for a histogram of ICMP test results and lower right pane for a histogram of "Echo" test results.

<

Along the top of the tab, as well as in the toolbar is a button to generate a machine specific report. Under the "Report on Machine" button two text boxes display the machine and its last scan date and time. Until a machine has been specified, these boxes as well as the tabular data and graphs below will remain blank.

Pressing the "Report on Machine" button will open a dialog box presenting the user with a list of machines included in the session's configuration along with the number of data points collected for that machine. Data points are tied to a specific ses sion configuration and are included along with scan configuration information in AntiSniff's .ass files. Future versions of AntiSniff will support export of these data points for use in other tools such as spreadsheets.

The user must select a machine from the list of machines. Once a machine has been selected, the user must press OK and is returned to the "Report on Machine" tab. All tabular data and graphs will be populated based on that machine's data points.

Tabular data is displayed with test names and phases along the left-hand axis and time/date associated data along the bottom axis. The first three tests (DNS Test Res., ARP Test Res., and Ether Ping Res. are represented by positive/negative values wh ereas all other tests represent response times in ms, packets dropped/sent, or other test specific values. These statuses may be tied into settings on the "Alarms" tab to trigger alarms on values either showing up as positive or changing, as appropriate for the given test. A positive may not necessarily mean that a sniffer has been found. Viewing the options on the "Alarms" tab should reveal when a positive indicates a sniffer or doesn't indicate a sniffer using this logic.

The ICMP Test Timings graph is used to plot the various phases of the ICMP Time Delta Test against each other. The user is presented with 4 lines displaying ICMP responses from the target machine with no flooding, "66" packet flooding, TCP SYN floodi ng and TCP flooding with full three way handshaking. Large variances between lines could indicate a network interface in promiscuous mode or a machine with a network problem. For more information on the ICMP test itself, see the "Overview" section of th is User Guide.

The Echo Test Timings graph is used to plot the various phases of the Echo Test against each other. Please note that the target machine must be running the UDP ECHO service in order for this test to be meaningful. If applicable, the user is presented with 4 lines displaying echo responses from the target machine with no flooding, "66" packet flooding, TCP SYN flooding and TCP flooding with full three way handshaking. Large variances between lines could indicate a network interface in promiscuous mod e or a machine with a network problem. For more information on the Echo test itself, see the "Overview" section of this User Guide.

Please note that with graphs, at least two sets of data points need to be generated for any data to show up. This means that at least two iterations of scans for the given session settings must be run to generate lines on the graphs. As time passes, older data points are thrown out as configured by the user in the "Scan Configuration" tab, "Session Data" pane, "Maximum Number of Data points" text box.

The use of alarms is a key feature in AntiSniff. Users may receive notice of promiscuous machines through local alarms, email and subsequently, email enabled pagers. To define alarms, go to the "Alarms" tab.

Make noise checkbox - Check this box to sound an alarm when thresholds are exceeded.

DNS Test Positive checkbox - Check this box to alarm on machines testing positive for the DNS test.

AntiSniff session configuration and data are stored in AntiSniff's .ass format. To save the current session configuration and data, select "Save Session" from the "File" menu choice off the main menu or use the "Save Session" (floppy disk icon) butto n on the tool bar.

To load AntiSniff session configuration information and data, select "Open Session" from the "File" menu choice off the main menu or use the "Open Session..." (open folder icon) button on the toolbar. The standard Windows "File Open" dialog box will open permitting you to select a saved AntiSniff session (.ass file).

A number of references are available for further information.

For technical details on AntiSniff tests, check out Dr. Mudge'’ technical description

Of particular interest will be

For even more information on Ethernet/MAC addresses, check out

For more information on IP addresses, check out