RE: Port mirroring detection

["Lachniet, Mark" <mlachniet () sequoianet com>]

One (not so great) way might be to sniff your DNS servers and outgoing
Internet traffic for DNS queries to see if there is a sniffer trying to
resolve IP addresses it shouldn't be able to see.  Then inject some
traffic into the network that really shouldn't be there, like an IP
totally out of your range (e.g. 9.9.9.9).  IfF you see DNS queries
trying to resolve that particular IP, it would be an indication someone
saw the traffic.  Of course, that assumes that DNS resolution on the
monitoring tool is turned on, which is pretty slow...

Mark Lachniet

> -----Original Message-----
> From: John Madden [mailto:chiwawa999 () yahoo com] 
> Sent: Tuesday, December 14, 2004 4:51 PM
> To: Jim Tuttle; pen-test () securityfocus com
> Subject: RE: Port mirroring detection
>
> More of a suspicion...
>
> I've asked the question to our administrators but let's just 
> say I want to check for myself.
>
>
> --- Jim Tuttle <jim.tuttle () wesd org> wrote:
>
> > What brought your suspicions that SPAN was on? Or is it just an 
> > assumption?
> >
> > Jim Tuttle
> >
> > -----Original Message-----
> > From: John Madden [mailto:chiwawa999 () yahoo com]
> > Sent: Tuesday, December 14, 2004 7:38 AM
> > To: pen-test () securityfocus com
> > Subject: Port mirroring detection
> >
> > Hi,
> >
> > Is there a way to find out if a switch port is doing port mirroring 
> > besides looking at the configuration on the switch ?
> >
> > Thanks
> >
> >
> >             
> > __________________________________
> > Do you Yahoo!? 
> > Meet the all-new My Yahoo! - Try it today! 
> > http://my.yahoo.com
> >  
>
>
>
>               
> __________________________________
> Do you Yahoo!? 
> Dress up your holiday email, Hollywood style. Learn more. 
> http://celebrity.mail.yahoo.com