Re: Sniffer detection (remote)

[White Cap <whitecap () dreams res cmu edu>]

On Mon, 15 Feb 1999, Terje Elde wrote:

> Another idea for nmap, what about building in the abilities of neped?
>
> It's a cute little tool which will remotely detect some linux box'es
> running some kernels if they are sniffing. Great for scanning your own
> network for bad guys :)

promisc mode detection uses arp or rarp, I forget.  unless you're scanning
your local network (and this becomes dull really fast), you won't be able
to tell.  maybe nmap could check to see if the hosts you're scanning are
on your local net (no gateway for the route) and if so then run a
neped-like procedure as well as the regular scan?

whitecap