Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: sniffers

From: rnayfield () mail iconnet com (Nayfield, Rod)
Date: Sun, 30 Apr 95 14:52:35 EST

Right.  There is no way.  one of smb's papers (and the book) mention using a 
sniffer with transmit leads cut.  

The best protection would be to use switches instead of hubs... even  a 
multi-port bridge for thinnet is a good idea when you use it to seperate 
workgroups.

rod


______________________________ Reply Separator _________________________________
Subject: Re: sniffers
Author:  "Jonathan M. Bresler" <jmb () kryten Atinc COM> at Internet
Date:    4/30/95 7:02 AM


Is there any way to find out if a sniffer is on the net? 
Just this

     
 no.  absolutely none (per SANS'95 conference)
     
 a sniffer can have its transmit lead cut and still function.  
this configuration is described in one of the common security 
papers--TAMU's tiger paper perhaps, i dont remember.  with the transmit 
lead cut, you cant detect.
     
 now a good capture digital ocilloscope and a one shot pulse 
generator may allow you to see the reflections at each tap (imperfect 
impedence matching of coax and taps procudce reflections)  the time from 
pulse to reflection is twice the travel time to the tap.  a TDR (time 
domain reflectometer) does this.  but the signal will be very weak.  no 
standard network administrator equipment ;(
Previous By Date Next
Previous By Thread Next

Current thread: