Wireshark mailing list archives
Re: running wireshark on my network
From: M Holt <m.iostreams () gmail com>
Date: Tue, 15 Mar 2011 15:42:21 -0700
:) I stand corrected... But, these concepts are all assuming that the user is in a specific environment -- there really does need to be a little more information about the topology in general, no? Still, lots of good information -- thanks all! -- Mike On Tue, Mar 15, 2011 at 1:19 PM, Martin Visser <martinvisser99 () gmail com>wrote:
As far as finding machines running Wireshark there are actually a few techniques. If you Google for "detect promiscuous mode" and follow through on some of the research. One mechanism was using a "feature" of the Linux IP stack where a Linux host in promiscuous mode would respond to IP packet even it was sent to a MAC address it didn't own. There were other techniques involving ARP. Also Wireshark boxes are sometimes configured to try and resolve IP addresses into names (reverse lookups). Thus you can "trick" Wireshark to try and do a reverse lookup on an IP address you choose by simply sending a packet past the interface it is sniffing. If you see that IP address in the site DNS server logs as a reverse query, then you will have potentially found a lurking Wireshark box. Ultimately if you suspect people are using sniffers for nefarious purposes on your network, you probably need to think a lot about physical security of your cable risers and communications closets. You also want to have managed switches and routers where have a control over Regards, Martin MartinVisser99 () gmail com
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- running wireshark on my network Flavio Ferreira (Mar 14)
- Re: running wireshark on my network Bartosz Kiziukiewicz (Mar 14)
- Re: running wireshark on my network Steffen DETTMER (Mar 14)
- Re: running wireshark on my network M Holt (Mar 15)
- Re: running wireshark on my network Stephen Fisher (Mar 15)
- Re: running wireshark on my network Chris Maynard (Mar 15)
- Re: running wireshark on my network Martin Visser (Mar 15)
- Re: running wireshark on my network Gisle Vanem (Mar 15)
- Re: running wireshark on my network M Holt (Mar 15)
- Re: running wireshark on my network Stephen Fisher (Mar 15)
- Re: running wireshark on my network Semjon (Mar 17)
- Re: running wireshark on my network Guy Harris (Mar 17)
- <Possible follow-ups>
- Re: running wireshark on my network Paula Dufour (Mar 14)
- Socket read timeout Mohan Radhakrishnan (Mar 14)