Security Basics mailing list archives
Re: Detect Network Sniffing
From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 08 Nov 2011 12:46:53 -0600
Dagni McPhee <dagnimcphee () gmail com> writes:
Is there any way to detect if a sniffer is being used to analyze my traffic before it gets onto the Internet? Also is it required for a sniffer to have an IP address or can it sniff while remaining "uncontactable" on the network?
As others have said, no a sniffer doesn't need an IP address. In fact a sometimes instructive way to start off an internal penetration test is to take a Linux box, don't assign an IP address to eth0, up the interface, fire up wireshark and just watch wireshark as you jack into a conference room connection at the customer site while you prepare for the kickoff meeting, and note any unicast traffic that you're seeing that you really shouldn't be seeing. If a switch has been dumbed down into hub mode spew all traffic out all of its ports, that'd one scenario in which you wouldn't know your traffic was being sniffed. However, a more likely scenario is that an ethernet tap or a span port of a switch could be (and probably is) in use at the internet egress point (as commonly used for network IDS's or network analyzers), and that device is going to make detecting attached sniffing, well, I am loathe to say impossible, but I think it's safe enough to say "hella unlikely." Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Detect Network Sniffing Dagni McPhee (Nov 08)
- Re: Detect Network Sniffing Kenneth Walling (Nov 08)
- Re: Detect Network Sniffing Rob Hughes (Nov 08)
- Re: Detect Network Sniffing Eric Kollmann (Nov 08)
- Re: Detect Network Sniffing Kurt Buff (Nov 08)
- Re: Detect Network Sniffing Todd Haverkos (Nov 08)
- Re: Detect Network Sniffing Kenneth Walling (Nov 08)
- RE: Detect Network Sniffing David Gillett (Nov 08)
- Re: Detect Network Sniffing phillip () bailey st (Nov 08)
- RE: Detect Network Sniffing David Gillett (Nov 09)
- Re: Detect Network Sniffing Adam Mooz (Nov 08)
- RE: Detect Network Sniffing David Gillett (Nov 09)
- <Possible follow-ups>
- Re: Detect Network Sniffing krymson (Nov 14)