IDS mailing list archives
Re: Counter detect Network Sniffer
From: "Tace " <tace () lycos com>
Date: Sat, 21 Feb 2004 21:12:06 +0700
Hi, I think there are a few methods mentioned before that can "detect" the use of sniffer. Note that I used "detect", as the methods only can detect whether a machine is in promiscuous mode or not. (of course, I can set my network interface into promiscuous mode without starting a sniffer but only in rare cases, like eg, you are using Virtual switch function of Virtual PC, etc) I remembered 2 methods, the first one is more tedious, requiring you have control of the network. It involves introducing traffic noise into the network (to various machine) and measuring the latency and response of connections to all machines in the network. Machine in promiscuous mode will be lagging as it has to handle other packets not meant for it. (normally rejected at datalink layer if not meant for it). The second method is easier to perform, involving tricking the machine in promiscuous mode to respond. However, you need to be able to craft your own packet (use libnet i think). The idea is to set the MAC address of the packet to some address that does not belong to any of the maching in the network. Set the IP of the packet to reflect correctly the IP of the machine you are probing. Sent it into the network and it should respond, when it shouldn't... then you know it is in promiscuous mode... Next, is to detect if the machine in promiscuous mode is running a sniffer.... that I am not sure how to... Of course, instead of rolling your own, you can always find some software already on the net that detects sniffer, like anti-sniffer etc... Hope this helps --------- Original Message --------- DATE: Thu, 19 Feb 2004 11:49:49 From: Bill Mok <billmok2002 () yahoo com hk> To: focus-ids () securityfocus com Cc:
Is there any method to detect one using sniffer, say ethereal, in the same network? _________________________________________________________ ¥²±þ§Þ¡B¶¼ºq¡B¤p¬P¬P... ®öº©¹aÁn ±¡¤ß³sô http://us.rd.yahoo.com/evt=22281/*http://ringtone.yahoo.com.hk/ --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
____________________________________________________________ Find what you are looking for with the Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- Re: Counter detect Network Sniffer, (continued)
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 23)
- Message not available
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 24)
- RE: Counter detect Network Sniffer Fergus Brooks (Feb 25)
- Message not available
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 23)
- Re: Counter detect Network Sniffer Raistlin (Feb 23)
- RE: Counter detect Network Sniffer Poulsennet Securityfocus (Feb 23)
- 答复: Counter detect Network Sniffer Peng Xuena (Feb 25)
- Re: Counter detect Network Sniffer Mike Hoskins (Feb 23)
- Re: Counter detect Network Sniffer Chris Caydes (Feb 23)
- Re: Counter detect Network Sniffer gatekeeper (Feb 24)
- Re: Counter detect Network Sniffer Pablo Scherer (Feb 24)
- Re: Counter detect Network Sniffer Tace (Feb 23)
- RE: Counter detect Network Sniffer Micheal Thompson (Feb 24)