Defense

The third use of sniffing is defense: monitoring your own network to make sure nothing out of the ordinary is going on. This can be used to ensure that: your users aren't running services they shouldn't be, there aren't any little script kiddies cruising around your intranet, and your (cough) Windows (cough) software isn't sending personal information to some server somewhere in Redmond, Washington.

The L0pht ( http://www.l0pht.com/ ) is a widely respected group of white-hat crackers. They break things to reveal vulnerabilities and then contact the vendor and tell them what they need to fix. Then they announce the problems to the world. The L0pht uses sniffers on a daily basis ”to conduct security audits and just to see what sort of things their software is communicating to the outside world. At one point, they discovered that a password-checking utility was sending a list of all the passwords from an NT server to another server, this one at another company, in order to verify those passwords. Since they were weakly encrypted to begin with, those passwords could have been intercepted by anyone (with a sniffer) between the two companies!