Re: Wireshark in Network - Windows/Linux

[Hobbe <my1listmail () gmail com>]

Hi
None of them supports detecting a sniffer, they all detect that the network
card is in promiscous mode.
That a network card is in promiscous mode only means that there is a chance
of that machine could be used as a sniffer, but it is not the same as it is
a sniffer device.

To find sniffers and such you would have to run a software inventory program
that checks out what software does exist in the machines.
Then you can say: "ok we have found sniffer software on the machines".

The different tools do different things so do a search for them and se wich
one/ones would help you find out what you want.

HTH
Hobbe


2010/3/16 Karthik Balaguru <karthikbalaguru79 () gmail com>

> On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail () gmail com> wrote:
> > As far as i know there is no way to detect a sniffer in a network,
> however
> > there are some ways that can detect network cards in promiscuous mode,
> tools
> > for this could be antisniff, neped, promgryui, sniffer-detect and so on.
> > They all do NOT detect a sniffer "per se", they detect that a network
> card
> > is in promiscuous mode wich is a strong indicator that there is a
> sniffer.
>
> Thx for your reply.
> antisniff, neped, promgryui, sniffer-detect - Do they support
> detection of sniffer
> in both windows and linux ? Thought of checking it with you before actually
> going in for analyzing those. Any ideas ?
>
> > This does not however show the sniffers used with SPAN or RSPAN ports in
> > switches since those ports are shutdown for outgoing traffic from the
> > sniffer and only mirrors the traffic on the ports choosen.
> >
> > HTH
> > Hobbe
> >
> > 2010/3/13 Karthik Balaguru <karthikbalaguru79 () gmail com>
> > > On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy () alum mit edu> wrote:
> > > > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
> > > >
> > > > > How to determine the presence of wireshark in a network ? Are there
> > > > > any specific packet types exchanged while it is present in the
> network
> > > > > so that it can be used to determine its presence in the network ? Any
> > > > > specific tool to identify its presence in either Windows or Linux ?
> > > >
> > > > There is no Wireshark-specific network protocol that it and only it
> > > > uses.
> > > >
> > > > If you do a Web search for
> > > >
> > > >        detecting sniffers
> > > >
> > > > you can find some techniques that, although not *guaranteed* to find
> > > > programs that capture network packets, such as Wireshark (and tcpdump
> and
> > > > snoop and Microsoft Network Monitor and NetScout Sniffer and
> WildPackets
> > > > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those
> programs on
> > > > a network.  For example:
> > > >
> > > >        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
> > > >
> > > > says
> > > >
> > > >        How to detect other sniffers on the network
> > > >
> > > >        Detecting other sniffers on other machines is very difficult
> (and
> > > > sometimes impossible). But detecting whether one of the Linux machines
> is
> > > > doing the sniffing is possible.
> > > >        This can be done by exploiting a weakness in the TCP/IP stack
> > > > implementation of Linux.
> > > >        When Linux is in promiscuous mode, it will answer to TCP/IP
> > > > packets sent to its IP address even if the MAC address on that packet
> is
> > > > wrong (the standard behavior is that packets containing wrong MAC
> address
> > > > will not be answered because the network interface will drop them).
> > >
> > > Interesting to know that Linux TCP/IP stack implementation answers to
> > > TCP/IP packets even if the MAC address on that packet is
> > > wrong(Promiscuous mode). But, Is this made intentionally in Linux to
> > > be different from standard behavior in helping the determination of
> > > presence of sniffer in network ? Any thoughts ?
> > >
> > > >        Therefore, sending TCP/IP packets to all the IP addresses on
> the
> > > > subnet, where the MAC address contains wrong information, will tell
> you
> > > > which machines are Linux machines in promiscuous mode (the answer from
> those
> > > > machines will be a RST packet)
> > > > While this is far from being a perfect method, it can help discover
> > > > suspicious activity on a network.
> > >
> > > Thx in advans,
> > > Karthik Balaguru
> ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <
> wireshark-users () wireshark org>
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >
> > > mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
> >
>
> Thx in advans,
> Karthik Balaguru
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe