mailing list archives
Re: detecting sniffers is downright easy
From: arquint () inf ethz ch (Caspar Arquint)
Date: Wed, 10 May 1995 19:44:35 +0200
Dr. Frederick B. Cohen writes:
> The vast majority of real-world sniffers reported to date are software
> sniffers of one of two varieties:
> 1 - DOS programs using the network interface in promiscuous mode.
> 2 - Unix programs modifying OS software to observe packets.
Well, it depends on what you understand by detecting a sniffer. But
how the hell will you know if somebody plugged a PC to the network
right now and starts sniffing the net?. You only have to disconnect
a Workstation and connect a PC or Mac instead with the same IP address
and here you go. Sure it's possible to check if an IP address
suddenly belongs to a different ethernet address (arp -a on Solaris
reports the IP and the ethernet address). But not always when a
workstation is replaced by a PC it means that the PC is used for
sniffing... Let's assume there is someone working on a PC right.
Even if you have a modifyed virus scanner running who do you
see if someone accesses the net device just for reading ? And
how do you find out what the actual user is receiving from
the net is read by a sniffer and not by some NFS client or the like?
Another thing is if somebody will sniff on some backbone outside
of my domain but where all our packets are sent along. I don't have
any chance to find out about that - AFAIK.
The same with on a unix machine: I'll grab some source or write
my own sniffer. I'll call it sed, perl or that like. How the hell
with even an MD5 signature will you know that this is a sniffer?
If you have the MD5 of e.g. tcpdump I'll modify tcpdump just a
little bit and you'll get a completly different MD5...
> Thus, not only is detection of all Unix-based real-world sniffers not
> impossible or infeasible, it is downright easy and simple.
I assume you have other source than I have and maybe you know of
some commercial application that can detect a sniffer. Ok - tell
me please, where I can get more information about such software.
And maybe you have a hint for me, how I can find out right now what
application someone is just starting on a PC.
All this I really think is easy. At least not for me...
--- Caspar Arquint