The AntiAntiSniffer Sniffer

This was an entertaining little one-off. Basically, it started with the l0pht announcing a sniffer detection utility on Friday, July 23, 1999. Coincidentally, I was bored late that night at the NCSA when I was reading their announcement, and decided I'd spend the night defeating their program. Normally I would have just went home, but when I realized that I could call my program The AntiAntiSniffer Sniffer, I couldn't resist. I worked through the night and the next day, and by Sunday, I had come up with something that in theory, defeated all of their methods of sniffer detection, 3 days before they actually released the detector.

It wasn't long before I was familiar enough with networking protocols that I realized I could write a helper program for AASS that would defeat "automatic" ethernet switches. I got the program (called AntiSwitch) to a point where it would route most of the traffic in my building through my port via either ARP spoofing or port MAC overflow. However, unfortunately I lived in a building that was partially switched, and other machines on the same broadcast section as me would complain about another ether address stealing their IP. I came up with a method to detect which IP's were "local" and which were switched, but there still are some bugs, and it doesn't work all the time.

As it turns out, while developing this functionality, I suspected that some of the bugs that I was having were related to problems in my hash table code. Specifically memory corruption, stray pointers, memory leaks, etc. I needed a general purpose, FAST (I had to keep up with network traffic even while debugging; after all, while running this program I AM the network fabric :), and lightweight malloc debugger. Unfortunately, I couldn't find one that met all my needs. So I did what any self respecting hacker would do: I wrote my own.

Eventually, while I worked on NJAMD, a utility called Ettercap appeared, relegating this toy to just a tiny footnote in history.

The Code