Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Detecting a sniffer
From: mcn () EnGarde com (Mike Neuman)
Date: Mon, 1 May 1995 12:49:43 -0500

From owner-bugtraq () fc net Mon May  1 11:36:08 1995

You can't "detect a sniffer" from looking at the net...

  There are some tricks you can try. Although, they won't work in all

1) rup hostx;generate tremendous amounts of TCP traffic;rup hostx again. If
a sniffer is running, most likely the load will go up substancially to deal
with the increased traffic.

2) Look for large amounts of name server queries. A telltale sign that
tcpdump is running is dozens of requests in a short period of time for
reverse lookups.

  As I said, these won't work in all cases, although the sniffers I've seen
floating around in hackers' toolboxes these days will be detected by either
of these techniques.

mcn () EnGarde com
En Garde Systems - Computer Security Software and Consulting

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]