Do packet sniffers need to load at boot time?

Posted on 2005-04-14
Last Modified: 2013-12-04

The company I work for is considering purchasing a security product that attempts to prevent the workstation from running a packet sniffer. (It does a lot more than that, but I have questions about this function.) For Windows, it only detects whether a sniffer is running on the workstation at boot time. Supposedly it detects "unusual interactions" with the NIC / NDIS.


Is there anything inherent in Windows that would require a sniffer to load & interact with NDIS at boot time, or could a sniffer be loaded after boot time? My concern is that this product may be specifically targeting two sniffers that just happen to load at boot time; their literature specifically mentions WindDump and dsniff.

BTW, I realize this product does not prevent the "protected" workstation from being eavesdropped on by another "unprotected" machine sniffing on the network; it only prevents the "protected" machine from becoming an eavesdropper.

Thanks in advance,
Question by:parkerea
    LVL 38

    Expert Comment

    by:Rich Rumble
    Most would load after booting, as they would certainly rely on the OS for it's functions. Ethereal and Tcpdump are more popular than dsniff. What they are detecting is if the NIC is in promiscious mode

    It's simple to write a program or script that can detect the most popular "sniffing" programs... that's a no brainer. There are techniques to detect nic's listening in promiscuous mode using arp responses as outlined in the pdf above, and it's also easy to detect a nic on the local machine in promisc mode.

    Author Comment

    Thank you richrumble -- tremendous info. Since I am wondering if it is valid to only check for the existence of a sniffer at boot time, perhaps the root question should be something like "Can a NIC be changed to promiscious mode after boot time, or after logging onto Windows XP?"

    Thanks again,
    LVL 38

    Accepted Solution

    I think that they are changed exclusivly after boot time. Unless there is some sort of "root-kit" that may be inplace doing this before the os has fully loaded. The default for NIC's is always in normal mode in M$. I'm not sure there is a registry entry or anything that can be set to make the nic come-up automatically in promisc mode.
    Even the presence of M$ Network Monitor doesn't mean it's in promisc. I think it's actually kept in the NDIS driver


    Author Comment

    Thank you. Although my assignment is to evaluate whether this security product will interfere with our department's home grown apps, I feel I should also put some effort into evaluating its effectiveness -- the project manager is not that technical, and IMHO has a rather odd view of security (long ago I realized she installed Timbuktu without disabling the default password, and when I pointed it out rather than thanking me she screamed to the dept manager that I was "hacking into their network.")

    - parkerea

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Suggested Solutions

    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now