Proceedings of the 2001 IEEE Workshop on Information Assurance and Security W2B2 1045 United States Military Academy, West Point, NY, 5–6 June 2001 Packet Sniffing for Automated Chat Room Monitoring and Evidence Preservation A. Meehan, G. Manes, L. Davis, J. Hale, S. Shenoi* Abstract — Packet sniffers are designed to intercept net- work traffic in shared communication channels. This is accomplished by re-configuring network interface cards to permit device drivers to process all network traffic, includ- ing packets that are not addressed to the host computer. Packet sniffing is primarily used in intrusion detection, net- work management, wiretapping and hacking. This paper describes a novel application of packet sniff- ing to monitor chat room conversations for criminal activity. Current manual monitoring techniques must scrutinize mas- sive amounts of conversations for potential criminal activity. The packet sniffer described in this paper permits the auto- mated monitoring and filtering of chat room conversations. Moreover, it records and preserves packet-based evidence, enabling the complete reconstruction of illicit chat room ac- tivity for purposes of prosecution. Keywords — Packet sniffing, filtering, chat room monitor- ing, computer crime I. Introduction Packet sniffing is the act of intercepting and interpreting network traffic transmitted across shared communication channels [1,6,10]. The network interface card (NIC) in a networked computer receives all shared traffic sent across a physical link. Ordinarily, the network device driver only processes incoming traffic to the local host and broadcast packets meant for computers in the network [4]. To perform packet sniffing, it is necessary to re-configure the NIC to operate in a “promiscuous” mode where the network device driver processes all traffic transmitted across the network, regardless of whether or not packets are addressed to the host computer [10]. Packet sniffing is primarily used in intrusion detection, network management, wiretapping and hacking. Intru- sion detection systems use sniffing to identify packets and packet sequences that signal potential attacks [6,10]. Net- work management tools employ packet sniffers to quantita- tively measure network traffic and identify bottlenecks [10]. Wiretapping applications of packet sniffers are exemplified by the FBI’s Carnivore system [1]. Hackers utilize packet sniffing to eavesdrop on network traffic and steal private information [3,6,10,11]. This paper describes a novel application of a packet snif- fer to monitor chat room conversations for criminal activ- ity, e.g., sex crimes investigations that monitor sexually explicit chat rooms for “travellers” – pedophiles who seek * To whom correspondence should be addressed (email: su- jeet@utulsa.edu). to arrange liaisons with minors across state lines. Two problems exist with manual monitoring methods [5]. First, an overwhelming amount of conversations have to be ac- tively scrutinized and filtered for potential criminal activ- ity. Second, it is difficult to record and preserve evidence of chat room conversations [12-14]. The packet sniffer per- mits automated monitoring and filtering, as well as evi- dence preservation. Moreover, it is possible to completely reconstruct chat room activity for purposes of prosecution. II. Chat Room Monitor Current chat room applications are based on the client- server model [15]. A schematic diagram of the chat room monitor is shown in Figure 1. Chat room clients A and B, a “suspicious client” and a monitoring officer commu- nicate using a chat room server. In typical Internet chat rooms (e.g., Yahoo, MSN, AOL and IRC), as many as 100 clients communicate constantly. During an investigation, a monitoring officer must continuously monitor conversa- tions, possibly interacting with other clients and suspects, to obtain sufficient evidence of criminal activity, including conspiracy to commit a crime [8,12,13]. The chat room monitor resides on a physically separated locked computer to remove any possibility of evidence cor- ruption by the monitoring officer. The system intercepts all chat room communications through a “tap” located within the monitoring officer’s local area network. It automati- cally preserves all chat room traffic in a sealed container for evidentiary purposes. Moreover, it facilitates real-time conversation filtering to alert the monitoring officer of sus- picious activity. This frees the officer from tedious manual review of chat room conversations, and enables the moni- toring of multiple chat room servers. III. System Design and Implementation This section describes the network perspective and sys- tem architecture of the chat room monitor. The filtering and evidence preservation processes are also detailed. A. Network Perspective The network perspective of the chat room monitor is shown in Figure 2. Three chat room servers (A, B and M) and an instant message peer (bottom of Figure 2) use Internet connections to support communication between various clients (top of Figure 2). ISBN 0-7803-9814-9/$10.00 c 2001 IEEE 285