Re: Detecting Network Sniffers ???

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <EDA6886713F7F94081284F78EEB0B1B026DC7F () arvexc01 asiapacific cpqcorp net>

Yet another way to detect sniffers on your network, specifically on Windows systems, is to scan for the presence of the 
WinPcap driver.  Most of the freely available sniffers (L0phtcrack4.0, Ethereal, etc) use this driver, and you can scan 
for it using WMI or SCM queries.

> Can somebody guide me on detecting a sniffer on my network. can i still=20
> detect a sniffer even if the computer running the sniffer has disabled
> the=20
> TCP/IP stack 

Just out of curiosity, how would someone be able to sniff if they disabled the TCP/IP stack?  Are you saying that 
they'd capture all ethernet frames, and then parse those apart?  If the IP stack is disabled (and not replaced), then 
how would the IP packets be parsed, or passed up to the application layer?

Also, I think moreso that "decompiling the kernel", someone would be more likely to patch it.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------