To audit network traffic you need to employ a program like a sniffer to listen to your traffic and analyze the results. If you've ever used a network monitor such as Windows' or Solaris', then you are familiar with sniffers. Commercial sniffers gather statistics and can work with various threshold and defined events. One collection of tools that has been around a few years is dsniff 2.3. This is actually a set of tools that not only audit, but test for network penetration. These programs can run on OpenBSD (x86), Red Hat Linux (x86), and Solaris (SPARC). It's been reported that users have been able to run these programs on FreeBSD, Debian Linux, Slackware Linux, AIX, and HP-UX. A version of dsniff has also been ported to Windows and MacOS X.
The dsniff ensemble includes the following tools: dsniff, filesnarf, dnsspoof, and macof, all of which intercept traffic that is protected from outsiders. Other programs such as sshmitm and webmitm in the package protect against what are referred to as "active monkey in the middle" attacks. In these sorts of attacks SSH and HTTPS traffic is redirected to another destination.
A two-part story on IBM's DeveloperWorks site is a very good introduction to the use of this tool, how it functions, and what it can and can't do. These articles are: "On the lookout for dsniff" and "On the Lookout for dsniff, part 2".
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
