¨Includes a sniffer that captures and
writes into a file the first several characters of all sessions
–Good for capturing userid/passwords in
ftp, telnet,
and login sessions
¨Ifconfig on most Unix systems
(except Solaris) will indicate whether NIC is in promiscuous
mode
¨Facilitates hiding of sniffer by
including a trojanized ifconfig that
lies about PROMISC flag
¨