Home page logo
/

basics logo Security Basics mailing list archives

Re: Detect Network Sniffing
From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 08 Nov 2011 12:46:53 -0600

Dagni McPhee <dagnimcphee () gmail com> writes:

Is there any way to detect if a sniffer is being used to analyze my
traffic before it gets onto the Internet? Also is it required for a
sniffer to have an IP address or can it sniff while remaining
"uncontactable" on the network?

As others have said, no a sniffer doesn't need an IP address.  In fact
a sometimes instructive way to start off an internal penetration test
is to take a Linux box, don't assign an IP address to eth0, up the
interface, fire up wireshark and just watch wireshark as you jack into
a conference room connection at the customer site while you prepare
for the kickoff meeting, and note any unicast traffic that you're
seeing that you really shouldn't be seeing.

If a switch has been dumbed down into hub mode spew all traffic out
all of its ports, that'd one scenario in which you wouldn't know your
traffic was being sniffed.   

However, a more likely scenario is that an ethernet tap or a span port
of a switch could be (and probably is) in use at the internet egress
point (as commonly used for network IDS's or network analyzers), and
that device is going to make detecting attached sniffing, well, I am
loathe to say impossible, but I think it's safe enough to say "hella
unlikely."

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]