mailing list archives
From: jenkins () dpw com (Colin Jenkins)
Date: Tue, 2 May 95 9:14:29 EDT
These are all good ideas, however many sniffers are not Unix systems that
can be logged into and examined. I have worked with DOS based sniffers
(Network General Sniffer, Excelan, HP, etc) that are far superior to suns
(as sniffers/protocol analayzers) and I doubt that they are easily detectable
even with their transmit lead intact.
I don't think the machine you run sniffer software on could make it better
or worse, they all get the same packets;)
| Patrick J. Horgan Amdahl Corporation \\ Have |
The original question was whether a sniffer could go undetected on a network.
My point is anyone with physical access to the network could do it with a
machine nobody can log into, much less detect. These sniffers only generate
traffic when instructed to, so with or without transmit leads these are
As for the machine running the software, there is a world of difference
in the diagnostic capabilities of a dedicated sniffer vs the typical
Unix box. Busy Unix systems are more likely to drop packets than a dedicated
sniffer (so they don't necessarily see the same packets). You could
certainly spend the time to disassemble the raw data collected by the Unix
system, but the sniffers make this much easier. Even Solaris' snoop (which
is better than etherfind) is not as comprehensive as Network General's sniffer.
I have also used X based protocol decoders that read RMON probe data that
are excellant, but again, the data is collected by a dedicated network probe.
BTW- I'm not knocking Unix based systems for network analysis- I use them
all the time and it is usually much easier than lugging a portable to the
floor or subnet in question. For 95% of my network analysis, Unix utilities
are more than adequate. But if I was an intruder with physical access
to a network, I'd probably use a dedicated sniffer- no need to cut transmit
leads or crack a system to get in.
My point is merely that these machines give superior analysis capabilities
and are probably undetectable.