Carnivore is apparently the third generation of online-detection software used by the FBI. While information about the first version has never been disclosed, many believe that it was actually a readily available commercial program called Etherpeek.
In 1997, the FBI deployed the second generation program, Omnivore. According to information released by the FBI, Omnivore was designed to look through e-mail traffic travelling over a specific Internet service provider (ISP) and capture the e-mail from a targeted source, saving it to a tape-backup drive or printing it in real-time. Omnivore was retired in late 1999 in favor of a more comprehensive system, the DragonWare Suite, which allows the FBI to reconstruct e-mail messages, downloaded files or even Web pages.
DragonWare contains three parts:
As you can see, officials have not released much information about the DragonWare Suite, nothing about Packeteer and Coolminer and very little detailed information about Carnivore. But we do know that Carnivore is basically a packet sniffer, a technology that is quite common and has been around for a while.
- Carnivore - A Windows NT/2000-based system that captures the information
- Packeteer - No official information released, but presumably an application for reassembling packets into cohesive messages or Web pages
- Coolminer - No official information released, but presumably an application for extrapolating and analyzing data found in the messages
Computer network administrators have used packet sniffers for years to monitor their networks and perform diagnostic tests or troubleshoot problems. Essentially, a packet sniffer is a program that can see all of the information passing over the network it is connected to. As data streams back and forth on the network, the program looks at, or "sniffs," each packet.
Normally, a computer only looks at packets addressed to it and ignores the rest of the traffic on the network. When a packet sniffer is set up on a computer, the sniffer's network interface is set to promiscuous mode. This means that it is looking at everything that comes through. The amount of traffic largely depends on the location of the computer in the network. A client system out on an isolated branch of the network sees only a small segment of the network traffic, while the main domain server sees almost all of it.
A packet sniffer can usually be set up in one of two ways:
Packets that contain targeted data are copied as they pass through. The program stores the copies in
- Unfiltered - Captures all of the packets
- Filtered - Captures only those packets containing specific data elements