Wireshark mailing list archives
Re: Wireshark in Network - Windows/Linux
From: Hobbe <my1listmail () gmail com>
Date: Fri, 19 Mar 2010 00:04:05 +0100
Yes, some of them will, others I think will not. good luck 2010/3/16 Karthik Balaguru <karthikbalaguru79 () gmail com>
On Tue, Mar 16, 2010 at 3:37 PM, Hobbe <my1listmail () gmail com> wrote:Hi None of them supports detecting a sniffer, they all detect that thenetworkcard is in promiscous mode.:-( :-(That a network card is in promiscous mode only means that there is achanceof that machine could be used as a sniffer, but it is not the same as itisa sniffer device.Okay ! But do these tools help in determination of the presence of a network card in promiscous mode w.r.t Windows also ?To find sniffers and such you would have to run a software inventoryprogramthat checks out what software does exist in the machines. Then you can say: "ok we have found sniffer software on the machines". The different tools do different things so do a search for them and sewichone/ones would help you find out what you want.Karthik Balaguru2010/3/16 Karthik Balaguru <karthikbalaguru79 () gmail com>On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail () gmail com> wrote:As far as i know there is no way to detect a sniffer in a network, however there are some ways that can detect network cards in promiscuous mode, tools for this could be antisniff, neped, promgryui, sniffer-detect and soon.They all do NOT detect a sniffer "per se", they detect that a network card is in promiscuous mode wich is a strong indicator that there is a sniffer.Thx for your reply. antisniff, neped, promgryui, sniffer-detect - Do they support detection of sniffer in both windows and linux ? Thought of checking it with you before actually going in for analyzing those. Any ideas ?This does not however show the sniffers used with SPAN or RSPAN portsinswitches since those ports are shutdown for outgoing traffic from the sniffer and only mirrors the traffic on the ports choosen. HTH Hobbe 2010/3/13 Karthik Balaguru <karthikbalaguru79 () gmail com>On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy () alum mit edu>wrote:On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:How to determine the presence of wireshark in a network ? Arethereany specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network ? Any specific tool to identify its presence in either Windows or Linux?There is no Wireshark-specific network protocol that it and only it uses. If you do a Web search for detecting sniffers you can find some techniques that, although not *guaranteed* tofindprograms that capture network packets, such as Wireshark (andtcpdumpand snoop and Microsoft Network Monitor and NetScout Sniffer and WildPackets {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those programs on a network. For example: http://www.securiteam.com/unixfocus/2EUQ8QAQME.html says How to detect other sniffers on the network Detecting other sniffers on other machines is very difficult (and sometimes impossible). But detecting whether one of the Linux machines is doing the sniffing is possible. This can be done by exploiting a weakness in the TCP/IPstackimplementation of Linux. When Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC address on thatpacketis wrong (the standard behavior is that packets containing wrong MAC address will not be answered because the network interface will drop them).Interesting to know that Linux TCP/IP stack implementation answers to TCP/IP packets even if the MAC address on that packet is wrong(Promiscuous mode). But, Is this made intentionally in Linux to be different from standard behavior in helping the determination of presence of sniffer in network ? Any thoughts ?Therefore, sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will be a RST packet) While this is far from being a perfect method, it can help discover suspicious activity on a network.Thx in advans, Karthik Balaguru___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribeThx in advans, Karthik Balaguru___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 09)
- Re: Wireshark in Network - Windows/Linux Guy Harris (Mar 09)
- Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 12)
- Re: Wireshark in Network - Windows/Linux Hobbe (Mar 14)
- Re: Wireshark in Network - Windows/Linux Ray Warren (Mar 15)
- Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 15)
- Re: Wireshark in Network - Windows/Linux Hobbe (Mar 16)
- Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 16)
- Re: Wireshark in Network - Windows/Linux Hobbe (Mar 18)
- Re: Wireshark in Network - Windows/Linux ronnie sahlberg (Mar 18)
- Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 20)
- Re: Wireshark in Network - Windows/Linux bart sikkes (Mar 20)
- Re: Wireshark in Network - Windows/Linux Hobbe (Mar 20)
- Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 21)
- Re: Wireshark in Network - Windows/Linux Phil Paradis (Mar 20)
- Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 12)
- Re: Wireshark in Network - Windows/Linux Guy Harris (Mar 09)
- Re: Wireshark in Network - Windows/Linux ronnie sahlberg (Mar 18)