Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

  • Congratulations waross on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!

network traffic

Status
Not open for further replies.

LIGWY

Civil/Environmental
Nov 11, 2005
78
US
I was currently going through a co-workers computer and found a program used for viewing traffic on a network. I believe it was called show traffic. Should this be a concern for our company?
We are a civil engineering firm and I do not understand why he would have this. I talked to a computer expert in the area and he mentioned that most hackers use this software, is this true?
 
Replies continue below

Recommended for you

Hackers have _collections_ of such software... but it has legitimate uses, too.

E.g., it's fairly common for a network interface to malfunction by 'jabbering', i.e., generating a continuous string of messages that are empty (but consume bandwidth because empty messages have a non-zero length), or contain gibberish. Using a 'sniffer' program is often the fastest way to identify _which_ network interface is responsible, by examining the packet headers.

Such programs are also useful in mapping the traffic on a network, so that, for instance, two computers that mostly talk to each other can be physically connected to the same router, relieving the remainder of the network from the burden of carrying the traffic that only goes from one to the other.

There is little legitimate reason for examining the _content_ of the network traffic, which in the case of CAD files is carried in a form that only makes sense to an application program, and is not very dense, so you need to collect a lot of it to glean anything useful. This is of course not true for email messages, which are easy enough to read, but most corporate networks carry so much dreck that finding anything of significance requires some effort.

In any case, the material captured is usually stored on the capturing machine in (typically very large) log files, which may still be accessible if you believe there is a reason for further forensics.



Mike Halloran
Pembroke Pines, FL, USA
 
A buddy of mine was the IT manager at a company we worked for ages ago... he had a similar snooper to play with when the network got funky on him. As an example, he fired it up one morning as people were coming into the office... within 5-10 minutes he had all network logons and passwords, including the CEO's, and the emails sent within that time were amazing.

In a civil eng. firm there is no valid reason for a normal employee to have such a beast on his/her machine. It may be benign, but I would watch this individual very closely... and consider all of your passwords as compromised. Hopefully this is a happy employee just poking around for self-education's sake, but if not you guys could be in for a world of hurt. Watch him, and be prepared to escort him out of the building on a moment's notice if he starts messing with anything.

Consider running a hidden logging program on his machine to see what he's up to. He may be grabbing every file he can get his hands on to strike out on his own, and blackmail isn't that hard these days when people are so free with info in emails.

Dan - Owner
Footwell%20Animation%20Tiny.gif
 
Putting a "hidden logging program" on someone else's computer must break some law, right? At a minimimum, it should get you fired.

BTW, what were you doing, "going through a co-workers computer"?
 
Hiya-

It *MIGHT* be a zombie machine, and the coworker has no knowledge that his machine might be compromised.

If I might suggest that the IT person in charge of your company do an "nmap" on his machine and look for unexpected open ports from the results. If there are open ports up in the high regions of the tcp or udp range, then I might suspect that your coworker has ventured into unsafe internet territory and that he/she has been pointing his machine at a server that has added malware to his box. CHAT addresses are commonly used for this purpose. The zombie can then be used for a variety of purposes. Usually, it's just to do a denial of service attack or send out spam. These are easily seen with the same "snooper" programs that you mentioned.

I am not familiar with the "show traffic" version you have mentioned.

A "snooper" program is VERY handy for network monitoring and troubleshooting, however, to really get benefit from such an application, it does take a certain amount of understanding to make sense of it and use it effectively. To see some of the benefits (if you are interested) on having a network monitor available, you can point your browser to:


I have only used the 'nix (unix, linux) versions of ethereal, so I can't answer for the windoze version of it, but the ones I have used have worked very well.

A "talented" IT professional in your organization can figure out how to approach the offending machine (with the cooperation of management of course) to build a wrapper program for the offensive software to see if it indeed is ever invoked from the keyboard.

Unfortunately, most snooper programs are passive when it comes to the network, so one cannot hang a snooper on the network and scan for another snooper. Sometimes snoopers are used to collect data to disk files however, and the suspect disk can be scanned for evidence of any log files that the user has set up and saved. This is a low probability effort however.

Aside from the fact that you were wandering through a coworkers machine (with the assumption that you had a good reason for doing so), I suggest that you bring the issue to management who can contact their IT department or hire a computer security consultant to take the appropriate action.

Cheers,

Rich S.
 
I wouldn't jump to any conclusions, but just remember that the biggest threat to any computer network is the insider...especially the disgruntled employee or the recently fired employee who didn't have accesses terminated right away. General users shouldn't be monitoring your network for traffic, but it doesn't mean he/she is up to anything malicious at this time. I would definitely develop a better security plan that grants privileges based on need. For example, the Civil Engineer would have a need for some of his programs, but he doesn't necessarily have to have administrative rights to download programs at will. Your IT department should handle that. This guy could seriously just be into computers and not up to anything necessarily detrimental.
 
The company's computers are company property. There is no legal expectation of personal privacy on a company computer.

TTFN

FAQ731-376
 
IRstuff,

Keep in mind, if this happens to be a government system in the US there _is_ a legal expectation of privacy. Even if there is suspicion of wrongdoing there are strict guidelines for how and what kind of search or forensics can be performed and by whom. Usually a third party (CID or law enforcement) and a warrant are required for anything more than a search for files or information needed in the performance of your duties. Even then, someone from management must be present and the person who's computer has been searched must be informed of the search and its scope (in writing).

Abutler,

You would probably do well just bringing it to your network admin's attention. That is, if you aren't the admin. Most of the situations other posters have suggested (zombie computer, employee stealing data, etc.) would be significant enough for someone to look into. I know I would appreciate a heads-up on something like this.
If it is just curiosity, diagnostics, or some other legit use, then your co-worker shouldn't have any problem.

If it's someone you have a good rapport with, why not just ask them about it?
 
I was referring to "company computers," see:

But, see also:
in which the Federal Labor Relations Authority rejected the claim of expectation of privacy because each federal employee in the case signed onto a computer that had a banner stating that logging in constituted consent to losing privacy on that computer.

When there is a question of criminal activity, that's different, simply because of need to maintain chain of custody of evidence. However, if you, as a federal employee was watching porn at work or spent 5 hrs a day doing day trading on a government computer, you can be sure that you'll be out the door the moment IT verifies what you did on that computer.

TTFN

FAQ731-376
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top