Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Detecting a sniffer
From: mcn () EnGarde com (Mike Neuman)
Date: Mon, 1 May 1995 12:49:43 -0500


From owner-bugtraq () fc net Mon May  1 11:36:08 1995

You can't "detect a sniffer" from looking at the net...

  There are some tricks you can try. Although, they won't work in all
cases.

1) rup hostx;generate tremendous amounts of TCP traffic;rup hostx again. If
a sniffer is running, most likely the load will go up substancially to deal
with the increased traffic.

2) Look for large amounts of name server queries. A telltale sign that
tcpdump is running is dozens of requests in a short period of time for
reverse lookups.

  As I said, these won't work in all cases, although the sniffers I've seen
floating around in hackers' toolboxes these days will be detected by either
of these techniques.

-Mike
mcn () EnGarde com
En Garde Systems - Computer Security Software and Consulting



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]