What exactly is a port sniffer? How does it work, and can one be coded in a high-level language such as C++ or something?
darn. And I thought this was gonna be a thread about quality red wines.
Well, what’s your take on KJ Merlot?
A port or packet sniffer is a device used to capture data and analyze it. The analysis and capture is a software function, but it is often put on a dedicated piece of hardware with an assortment of physical port types to handle different traffic types. Sniffers are most commonly used to diagnose network problems, example would be watching TCP/IP traffic for retransmits, beaconing stations, ethernet collisions, etc. I.e., you can watch for errors in the transport (ethernet, tokenring) as well as errors in the sessions (TCP/IP, IPX/SPX).
I don’t think I’ve run across the term “port sniffer” before.
A data sniffer or just a sniffer is - as LocalLoop describes - a capture/analysis tool used to monitor and troubleshoot networks. IIRC, Data General actually uses the name “Sniffer” for their (excellent but pricy) LAN product.
A port scanner is a piece of software used to find security holes in a network. It’ll run through a list of IP adresses and attempt to connect using, for instance, telnet, finger, SNMP etc. (those protocols use different port numbers, hence “port” scanner) and give the user - who might be an annoying hacker or a high-paid security consultant - a list of addresses/protocols that responded. If, for instance, a router somewhere in a network responds to a telnet login attempt from the world at large, it’s a rather obvious security risk.
You’ll probably stand a better chance of coding a port scanner than a data sniffer. Be advised that good firewalls will detect port scans and that ISPs seriously dislike people who mess around with software of this sort. To the point of reporting them to public authorities.
S. Norman
- “port sniffers” do indeed exist outside the lovely city of Oporto.
Apparently (this is a little out of my field), a port sniffer is used when you want to analyze/debug the output on a physical port (doh), a COM or LPT, for instance. In order to code a port sniffer, you’d presumably need some pretty low-level access to the controller you’re using to communicate with the port you’re sniffing and some hard-core knowledge of the expected behavior. Have fun!
S. Norman
Along these lines, is there a software package that’s avialable for Windows (any version) which will log all the IP traffic going out/coming in to my system? There are times when I want to do this, such as when I wonder if some software is spyware, transmitting info back to a host somewhere.
TCPScan is a great shareware tool that works under NT to scan if ports are “alive”, and what type of traffic they are expecting (TCP or UDP). It does not sniff data or crack. It has a very legitimate use here at work - we use it to test if ports are alive on machines we set up (since there is no easy way to “ping” a port, so to speak.)
And ports are not technically red wines…more fortified red wines, yes?
(Una loves port even if the hangovers are hellacious…I should open another bottle of Sandeman’s now…)
Ftp software has a product called LanWatch that might be what you need, however, since they’ve been bought out, I can’t find any reference to it on the NetManage site, although it seems to be available from various hacker sites.
Try this to see if it’s what you want:
While port scanners have a valuable place within the IT community, they are also a primary tool of the computer underground.
Most backdoor trojans, for example, open a specific port on the victim’s computer. By scanning a broad range of addresses, those poor infected souls can be ferreted out by those in possession of the trojan’s client.
For instance, the trojan “Sub7” normally opens port 27374. By scanning that single port on every IP for xxx.xxx.xxx, you could find people that are probably infected with Sub7. If you are in possession of the Sub7 client, you could connect to one of those IPs on port 27374, and do pretty much whatever to that person’s computer.
So the port scanner is used to find victims, but it does no actual damage in and of itself. As was mentioned earlier, more common ports, like Telnet, can also be scanned.
And they can be easily coded (assuming you have the programming knowledge) with C++, Assembly, VB, or whatever…just by utilizing a few common .DLL and .OCX libraries.
A good firewall offers protection against both scanners and their associated backdoor trojans…but in a pinch, the DOS “Netstat -a” command can help too.
-David
I was disappointed. I dig the 98 La Playa Merlot, tho.
Ok, so a port is were all the IP’s log onto? So even though my IP is xxx.xx.xxx I’m still logged onto port 2351 or whatever?
cykrider wrote:
With the Internet Protocol (IP), you have Transfer Control Protocol (TCP) or Universal Datagram Protocol (UDP). With both TCP (more common) and UDP, each data packet has a sender “port” and a recipient “port”. The port is really just a number that gets placed into that packet. But your TCP/IP software sees that something is coming in for port number 3633 for example, and it knows that your Internet Explorer software has used that number for a connection that it has to http://www.oohbaby.com, so it sends the data to IE. You could also concurrently have a different application connected to that or any other remote site, but it would get a different local port number, so that your TCP/IP knows which application program to give the data to.
Remote port numbers usually indicate the kind of connection desired, e.g., 80 means that you want to connect with HTTP and 15 (I think) means that you want to connect with FTP. Your machine sends an IP data packet to that site, telling it the IP address the request is coming from, the port number it wants a connection on (indicating what service it wants), and a port number for the requesting computer (which is assigned by that requesting computer pretty much randomly). So assuming that the server accepts the request, it sends the data packet back, but changes around the sender addresses and port numbers.