To audit network traffic you need to employ a program like a sniffer to listen to your traffic and analyze the results. If you've ever used a network monitor such as Windows' or Solaris', then you are familiar with sniffers. Commercial sniffers gather statistics and can work with various threshold and defined events. One collection of tools that has been around a few years is
The dsniff ensemble includes the following tools: dsniff, filesnarf, dnsspoof, and macof, all of which intercept traffic that is protected from outsiders. Other programs such as sshmitm and webmitm in the package protect against what are referred to as "active monkey in the middle" attacks. In these sorts of attacks SSH and HTTPS traffic is redirected to another destination.
A two-part story on IBM's DeveloperWorks site is a very good introduction to the use of this tool, how it functions, and what it can and can't do. These articles are: "On the lookout for dsniff" and "On the Lookout for dsniff, part 2".
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
This was first published in December 2003