Security Basics mailing list archives

Re: Detect Network Sniffing

From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 08 Nov 2011 12:46:53 -0600

Dagni McPhee <dagnimcphee () gmail com> writes:

Is there any way to detect if a sniffer is being used to analyze my
traffic before it gets onto the Internet? Also is it required for a
sniffer to have an IP address or can it sniff while remaining
"uncontactable" on the network?


As others have said, no a sniffer doesn't need an IP address.  In fact
a sometimes instructive way to start off an internal penetration test
is to take a Linux box, don't assign an IP address to eth0, up the
interface, fire up wireshark and just watch wireshark as you jack into
a conference room connection at the customer site while you prepare
for the kickoff meeting, and note any unicast traffic that you're
seeing that you really shouldn't be seeing.

If a switch has been dumbed down into hub mode spew all traffic out
all of its ports, that'd one scenario in which you wouldn't know your
traffic was being sniffed.   

However, a more likely scenario is that an ethernet tap or a span port
of a switch could be (and probably is) in use at the internet egress
point (as commonly used for network IDS's or network analyzers), and
that device is going to make detecting attached sniffing, well, I am
loathe to say impossible, but I think it's safe enough to say "hella
unlikely."

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Detect Network Sniffing Dagni McPhee (Nov 08)
- Re: Detect Network Sniffing Kenneth Walling (Nov 08)
- Re: Detect Network Sniffing Rob Hughes (Nov 08)
  - Re: Detect Network Sniffing Eric Kollmann (Nov 08)
- Re: Detect Network Sniffing Kurt Buff (Nov 08)
- Re: Detect Network Sniffing Todd Haverkos (Nov 08)
- Re: Detect Network Sniffing Kenneth Walling (Nov 08)
  - RE: Detect Network Sniffing David Gillett (Nov 08)
- Re: Detect Network Sniffing phillip () bailey st (Nov 08)
  - RE: Detect Network Sniffing David Gillett (Nov 09)
- Re: Detect Network Sniffing Adam Mooz (Nov 08)
  - RE: Detect Network Sniffing David Gillett (Nov 09)
- <Possible follow-ups>
- Re: Detect Network Sniffing krymson (Nov 14)