Security Basics mailing list archives
RE: Detecting Network Sniffers ???
From: "Amin Tora" <atora () EPLUS com>
Date: Sat, 29 May 2004 11:02:30 -0400
Can somebody guide me on detecting a sniffer on my network. can i still=20 detect a sniffer even if the computer running the sniffer has
disabled the=20 TCP/IP stack
Just out of curiosity, how would someone be able to sniff if they
disabled the TCP/IP stack?
Are you saying that they'd capture all ethernet frames, and then parse
those apart? If the
IP stack is disabled (and not replaced), then how would the IP packets
be parsed, or passed
up to the application layer?
Quick Comment on this: There are IDS systems that allow for this {i.e. ISS, Snort, etc..} and there are also freeware kernel level drivers that replace the binding and requirement for the OS TCP/IP and handle packets in raw format and convert to readable data for the intended use... The reason this works is that it doesn't rely on the TCP/IP stack, rather the whole TCP/IP stack is 'replaced' for this purpose by it's own "stack" that binds to the NIC. See: "3.1 How do I setup snort on a 'stealth' interface?" at http://www.snort.org/docs/FAQ.txt This shows how to configure a stealth interface on {BSD,LINUX,WINx} for SNORT "Network Sensor Stealth Configuration", on pg. 157 at http://documents.iss.net/literature/RealSecure/RS_NetSensor_IG_7.0.pdf This shows how to configure ISS RealSecure in Stealth mode where the listening interface has no protocol stack bound to it. Amin Tora, CISSP, CHSP Security Consultant ePlus Technology Inc. 13595 Dulles Technology Drive Herndon, VA 20171 office: 703-793-1330 cell: 703-675-0738 web: http://www.eplustechnology.com email: atora-at-eplus.com **NOTICE** ------------------------------------------ THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL. DISTRIBUTION OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS PROHIBITED. ANY DISCLOSURE, COPYING, DISTRIBUTION OR USE OF THE CONTENTS OF THIS TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN THEIR INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE CONTACT THE SENDER. ------------------------------------------ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Detecting Network Sniffers ??? Jonny Boy (May 25)
- <Possible follow-ups>
- RE: Detecting Network Sniffers ??? Sutton, Nathan (May 26)
- Re: Detecting Network Sniffers ??? Alvin Oga (May 27)
- Re: Detecting Network Sniffers ??? H Carvey (May 28)
- RE: Detecting Network Sniffers ??? Amin Tora (May 31)