Abstract   ARP  cache  poisoning  and  putting  host  Network  Inter face  Card  (NIC)  in  promiscuous  mode  are  ways  of  sni ffer  attacks.  ARP  cache  poisoning  attack  is  effective  in   an  environment  which  is  not  broadcast  in  nature  (l ike  switch  LAN  environment)  and  other  attack  is  effective  in  an  en vironment  which  is  broadcast  in  nature  (like  hub,  b us,  access  point  LAN  environments).  Sniffing  is  malicious  activity  perfo rmed  by  network  user  and  because  of  this  network  se curity  is  at  risk  so  detection  of  sniffer  is  essential  task  to  maintain  network  security.  Sniffer  detection  techniques  can  be  divided  into  two  main  categories.  First  category’s  techniques  are  used  to   detect  a  sniffer  host  that  runs  it’s  NIC  into  promiscuous  mode  and  second  category’s techniques are used to detect a sniffer  host that uses ARP cache poisoning for sniffing. Th e network configuration is  hidden  form  users.  Network  users  do  not  have  any  in formation  about  nature  of  network.  Therefore,  users  of  network  may  invoke  such  sniffer  detection  technique  that  is  not   effective  in  that  environment.  This  may  result  in sharing  of  his  private  and  confidential  information  with  malicious  users.  In  t his  paper,  we  designed  an  intelligent  invocation  mo dule  that  checks  the  nature  of  environment  automatically  and  invokes  app ropriate,  sniffer  detection  technique  for  that  environment.  With  the  help  of this invocation module it is possible to detect  passive as well as active sniffer hosts in both env ironments.    

References

[1] AbdelallahElhadj H., Khelalfa H., and Kortebi H., An Experimental Sniffer Detector: SnifferWall, Technical Document , Securie des Communications sur Internet, 2002.

[2] Baxley T., Xu J., Yu H., Zhang H., Yuan X. , and Brickhouse J., LAN Attacker: A Visual Education Tool, in Proceedings of Conference Information Security Curriculum Development , USA, pp. 118-123, 2006.

[3] Chimphlee W., Abdullah A., Sap M., Chimphlee S., and Srinoy S., A Rough-Fuzzy Hybrid Algorithm for Computer Intrusion Detection, International Arab Journal of Information Technology , vol. 4, no. 1, pp. 247-254, 2007.

[4] Clincy V. and Krithi A., Evaluation and Illustration of a Free Software Tool for Wireless Network Monitoring and Security, The Journal of Computing Sciences in Colleges , vol. 21, no. 3, pp. 19-29, 2006.

[5] Fuentes F. and Kar D., Ethereal vs. Tcpdump: A Comparitive Study on Packet Sniffing Tools for Educational Purpose, Computer Journal of Computing Sciences in Colleges , vol. 20, no. 4, pp. 169-176, 2005.

[6] Gibson Research Corporation, ARP Cache Poisoning in Switch LAN Environment, available at: http://www.grc.com/ nat/arp.htm, last visited 2008.

[7] Hornig C., A Standard for the Transmission of IP Datagrams over Ethernet Networks, Symbolics Cambridge Research Center , 1984.

[8] Held G., Focus on Sniffer Portable, International Computer Journal of Network Management , vol. 13, no. 5, pp. 389-396, 2003.

[9] Khan A., Qureshi K., and Khan S., Enhanced Switched Network Sniffer Detection Technique Based on IP Packet Routing, Computer Journal of System Security , vol. 18, no. 4, pp. 153-162, 2009.

[10] Plummer D., An Ethernet Address Resolution Protocol-Converting Network Protocol to 48 bit An Intelligent Approach of Sniffer Detection 15 Ethernet Address for Transmission on Ethernet Hardware, RFC Editor , US, 1982.

[11] Russinovich M., PsExec Tool, 2007, available at: http://technet.microsoft.com/en- us/sysinternals /bb896649.aspx, last visited 2008.

[12] Trabelsi Z., Switched Network Sniffers Detection Technique Based on IP Packet Routing, Computer Journal of System Security Journal , vol. 14, no. 4, pp. 51-60, 2005.

[13] Trabelsi Z. and Shuaib K., Man in the Middle Intrusion Detection, in Proceedingss of IEEE Transition GLOBE COM , San Francisco, pp. 1-6, 2006.

[14] Trabelsi Z., Rahmani H., Kaouech K., and Frikha M., Malicious Sniffing Systems Detection Platform, in Proceedingss of IEEE/IPSJ International Symposium on Applications and the Internet , Tunisia, pp. 201-207, 2004.

[15] Trabelsi Z. and Rahmani H., Detection of Sniffers in an Ethernet Network, in Proceedingss of 7 th Information Security Conference , Berlin, pp. 170-182, 2004.

[16] Trabelsi Z. and Rahmani H., An Anti-Sniffer Based on ARP Cache Poisoning Attack, Information System Security Journal , vol. 13, no. 6, pp. 23-36, 2005.

[17] Yeo J., Youssef M., and Agrawala A., A Framework for Wireless LAN Monitoring and Its Applications, in Proceedingss of 3 rd ACM Workshop on Wireless Security , USA, pp. 70-79, 2004.

[18] Yuan X., Vega P., Xu J., Yu H., and Li Y., Using Packet Sniffer in Class Experience and Evaluation, in Proceedingss of the 45 th Annual Southeast Regional Conference ACMSE , USA, pp. 116-121, 2007. Abdul Nasir Khan received the MCS and MS (CS) degrees from the COMSATS Institute of Information Technology, Abbottabad, in 2005 and 2008, respectively. Currently, he is a lecturer in the Department of Computer Science, COMSATS Institute of Information Technology. His research interests are in various aspects of network securit y and their applications. Kalim Qureshi is a professor in Computer Science Department, COMSATS Institute of Information Technology, Abbattabad, Pakistan. He is an approved supervisor for the M.S. and Ph.D. thesis by the High Education Commission, Islamabad, Pakistan. His research interests include network parallel distributed computing, thread programming, concurrent algorithms designing, task scheduling, a nd performance measurement. He is a member of IEE Japan and IEEE Computer Society. Sumair Khan received the MCS and MS (CS) degrees from the OMSATS Institute of Information Technology, Abbottabad, in 2004 and 2007, respectively. Currently, he is a lecturer in the Department of Computer Science, COMSATS Institute of Information Technology. His research interests are in various aspects of network securit y and their applications.