Bugtraq mailing list archives
Re: detecting sniffers is downright easy
From: arquint () inf ethz ch (Caspar Arquint)
Date: Wed, 10 May 1995 19:44:35 +0200
Dr. Frederick B. Cohen writes: > The vast majority of real-world sniffers reported to date are software > sniffers of one of two varieties: > > 1 - DOS programs using the network interface in promiscuous mode. > 2 - Unix programs modifying OS software to observe packets. > ... Well, it depends on what you understand by detecting a sniffer. But how the hell will you know if somebody plugged a PC to the network right now and starts sniffing the net?. You only have to disconnect a Workstation and connect a PC or Mac instead with the same IP address and here you go. Sure it's possible to check if an IP address suddenly belongs to a different ethernet address (arp -a on Solaris reports the IP and the ethernet address). But not always when a workstation is replaced by a PC it means that the PC is used for sniffing... Let's assume there is someone working on a PC right. Even if you have a modifyed virus scanner running who do you see if someone accesses the net device just for reading ? And how do you find out what the actual user is receiving from the net is read by a sniffer and not by some NFS client or the like? Another thing is if somebody will sniff on some backbone outside of my domain but where all our packets are sent along. I don't have any chance to find out about that - AFAIK. The same with on a unix machine: I'll grab some source or write my own sniffer. I'll call it sed, perl or that like. How the hell with even an MD5 signature will you know that this is a sniffer? If you have the MD5 of e.g. tcpdump I'll modify tcpdump just a little bit and you'll get a completly different MD5... > Thus, not only is detection of all Unix-based real-world sniffers not > impossible or infeasible, it is downright easy and simple. I assume you have other source than I have and maybe you know of some commercial application that can detect a sniffer. Ok - tell me please, where I can get more information about such software. And maybe you have a hint for me, how I can find out right now what application someone is just starting on a PC. All this I really think is easy. At least not for me... --- Caspar Arquint
Current thread:
- Re: detecting sniffers is downright easy Patrick Horgan (May 09)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- <Possible follow-ups>
- Re: detecting sniffers is downright easy Caspar Arquint (May 10)
- Re: detecting sniffers is downright easy Eric Murray (May 12)
- Re: detecting sniffers is downright easy Julian Assange (May 14)