Malicious sniffing systems detection platform

Zouheir Trabelsi, Hamza Rahmani, Kamel Kaouech, Mounir Frikha

Research output: Chapter in Book/Report/Conference proceedingConference contribution

25 Citations (Scopus)


Among various types of attacks on an Ethernet network, "sniffing attack" is probably one of the most difficult attacks to handle. Sniffers are programs that allow a host to capture any packets in an Ethernet network, by putting the host's Network Interface Card (NIC) into the promiscuous mode. When a host's NIC is in the normal mode, it captures only the packets sent to the host. Since many basic services, such as FTP and SMTP, send passwords and data in clear text in the packets, Sniffers can be used by hackers to capture passwords and confidential data. This paper presents the design and implementation of two different techniques which can be used to detect any host running a Sniffer on an Ethernet network. The first technique, the ARP (Address Resolution Protocol) detection, attempts first to send trap ARP request packets with fake hardware addresses, to a suspicious host. Then, based on the generated responses (ARP reply packets) and the operating system (OS) of the suspicious host, a decision is made on whether or not the suspicious host is running a Sniffer. The second technique, the RTT detection, uses the measurement of the RTT (Round-Trip Time) of ICMP packets sent to suspicious hosts. Then, using a statistical model (the z-statistics) a probabilistic decision is made. The two techniques are implemented in two tools that automatically give system administrator a helping hand regarding the detection of Sniffers on an Ethernet network. Related and future works are discussed.

Original languageEnglish
Title of host publicationProceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)
Number of pages7
Publication statusPublished - 2004
Externally publishedYes
EventProceedings - 2004 International Symposium on Applications and the Internet (Saint 2004) - Tokyo, Japan
Duration: Jan 26 2004Jan 30 2004

Publication series

NameProceedings - International Symposium on Applications and the Internet


OtherProceedings - 2004 International Symposium on Applications and the Internet (Saint 2004)

ASJC Scopus subject areas

  • General Engineering


Dive into the research topics of 'Malicious sniffing systems detection platform'. Together they form a unique fingerprint.

Cite this