Re: Wireshark in Network - Windows/Linux

[Hobbe <my1listmail () gmail com>]

As far as i know there is no way to detect a sniffer in a network, however
there are some ways that can detect network cards in promiscuous mode, tools
for this could be antisniff, neped, promgryui, sniffer-detect and so on.
They all do NOT detect a sniffer "per se", they detect that a network card
is in promiscuous mode wich is a strong indicator that there is a sniffer.

This does not however show the sniffers used with SPAN or RSPAN ports in
switches since those ports are shutdown for outgoing traffic from the
sniffer and only mirrors the traffic on the ports choosen.

HTH

Hobbe

2010/3/13 Karthik Balaguru <karthikbalaguru79 () gmail com>

> On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy () alum mit edu> wrote:
> > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
> >
> > > How to determine the presence of wireshark in a network ? Are there
> > > any specific packet types exchanged while it is present in the network
> > > so that it can be used to determine its presence in the network ? Any
> > > specific tool to identify its presence in either Windows or Linux ?
> >
> > There is no Wireshark-specific network protocol that it and only it uses.
> >
> > If you do a Web search for
> >
> >        detecting sniffers
> >
> > you can find some techniques that, although not *guaranteed* to find
> programs that capture network packets, such as Wireshark (and tcpdump and
> snoop and Microsoft Network Monitor and NetScout Sniffer and WildPackets
> {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those programs on
> a network.  For example:
> >        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
> >
> > says
> >
> >        How to detect other sniffers on the network
> >
> >        Detecting other sniffers on other machines is very difficult (and
> sometimes impossible). But detecting whether one of the Linux machines is
> doing the sniffing is possible.
> >        This can be done by exploiting a weakness in the TCP/IP stack
> implementation of Linux.
> >        When Linux is in promiscuous mode, it will answer to TCP/IP
> packets sent to its IP address even if the MAC address on that packet is
> wrong (the standard behavior is that packets containing wrong MAC address
> will not be answered because the network interface will drop them).
>
> Interesting to know that Linux TCP/IP stack implementation answers to
> TCP/IP packets even if the MAC address on that packet is
> wrong(Promiscuous mode). But, Is this made intentionally in Linux to
> be different from standard behavior in helping the determination of
> presence of sniffer in network ? Any thoughts ?
>
> >        Therefore, sending TCP/IP packets to all the IP addresses on the
> subnet, where the MAC address contains wrong information, will tell you
> which machines are Linux machines in promiscuous mode (the answer from those
> machines will be a RST packet)
> > While this is far from being a perfect method, it can help discover
> suspicious activity on a network.
> >
>
> Thx in advans,
> Karthik Balaguru
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe