mailing list archives
Re: Detecting a sniffer
From: mcn () EnGarde com (Mike Neuman)
Date: Mon, 1 May 1995 12:49:43 -0500
From owner-bugtraq () fc net Mon May 1 11:36:08 1995
You can't "detect a sniffer" from looking at the net...
There are some tricks you can try. Although, they won't work in all
1) rup hostx;generate tremendous amounts of TCP traffic;rup hostx again. If
a sniffer is running, most likely the load will go up substancially to deal
with the increased traffic.
2) Look for large amounts of name server queries. A telltale sign that
tcpdump is running is dozens of requests in a short period of time for
As I said, these won't work in all cases, although the sniffers I've seen
floating around in hackers' toolboxes these days will be detected by either
of these techniques.
mcn () EnGarde com
En Garde Systems - Computer Security Software and Consulting
Re: Detecting a sniffer Dr. Frederick B. Cohen (May 02)
Re: Detecting a sniffer Mike Neuman (May 01)
Re: Detecting a sniffer Mark Owens (May 02)
Re: Detecting a sniffer Jim Seymour (May 03)
Re: Detecting a sniffer robert owen thomas (May 04)
HP-UX Explotation/Repair/Info scripts sysec () BIX com (May 04)