Full Disclosure mailing list archives
Re: Caching a sniffer
From: "Ian Latter" <Ian.Latter () mq edu au>
Date: Thu, 11 Mar 2004 17:54:24 +1000
While there's no way to be sure-sure ... you can get into your local LAN segment and send ICMP(/whatever) requests to the correct L3 address with the wrong L2 address and see if you get a response; this will show you if hosts/devices are listening promiscuously (which makes for a good starting point).Not necessarily? I thought that depended on the ip stack implementation.
Not sure what you're driving at .. do you mean you can't use the same test on all stack implementations or that this test just won't work on all stack implementations? One of the links sent through before had a link to a good read on the variations of the theme required for three specific implementations. From Tim's message you get this link; http://seclists.org/lists/focus-ids/2004/Feb/0028.html In turn, gives you this link; http://www.securiteam.com/tools/AntiSniff_- _find_sniffers_on_your_local_network.html [wr-wr-wrapped] There they discuss NetBSD, Linux and Windows detection. The assumption that I'm skirting around is that the sniffer is on an existing host (pc/server/etc) .. and as such its not well prepared for the task; ie - that it is capable of being actively probed (that it will respond). I think the original post / first response included a reference to a site being physically accessed ... I guess that's when good physical access controls/records/etc become valuable. As I said, its a good starting point (better than looking at a wiring closet and your watch, and working out the latest time you can order pizza). -- Ian Latter Internet and Networking Security Officer Macquarie University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Caching a sniffer, (continued)
- RE: Caching a sniffer Mike Fratto (Mar 11)
- RE: Caching a sniffer Kenton Smith (Mar 11)
- RE: Caching a sniffer David Bartholomew (Mar 11)
- Re: Caching a sniffer Simon Richter (Mar 12)
- RE: Caching a sniffer Justin Baldini (Mar 12)
- RE: Caching a sniffer Mike Fratto (Mar 11)
- Re: Caching a sniffer Cael Abal (Mar 10)
- Re: Caching a sniffer Lan Guy (Mar 11)
- RE: Caching a sniffer Dave Horsfall (Mar 11)