Home page logo

bugtraq logo Bugtraq mailing list archives

How to detect a sniffer
From: fc () all net (Dr. Frederick B. Cohen)
Date: Fri, 5 May 1995 21:55:14 -0400 (EDT)

Search - very well.

The people that claim it is somehow impossible to detect a sniffer seem
to believe that this is some super impossible problem, but it is not. 
Current sniffer technology is finite and bounded - all you have to do is
look hard enough.  The question you might reasonably ask is "How hard do
we have to search?" and the answer is - finitely hard - not infinitely
hard.  Thus, it is possible, but perhaps quite expensive.

The next question might reasonably be: "Is it feasible?" and again the
answer is yes.  So let's start with hardware and then go to software:

Hardware - examine every component with an electron microscope for any
deviation from design.  Any deviation is examined to determine the
electromagnetic impact, and if the impact is to leak packets with a
particular energy level, we then have to search the range of locations
within the detectable distance of that emission to determine if
amplification devices of the right sort are in that range.  Repeat
recursively till it reaches or doesn't reach humans, and you are done
with the physical side.

Software - examine all information in the systems and determine all
deviations from the original implementation.  Examine all deviations to
determine function.  If function can cause packet contents to move about,
apply recursively till the packets reach humans or do not.

Search over.  Please note that all of these operations are finite and do
not fall under the problems of undecidability or any laws of physics
that cause them to be impossible or involve unbounded effort.  HOWEVER -
they require a great deal of effort and are unlikely to be cost
effective for any real-world situation - especially when compared to
physically securing a small number of critical components and using
encryption to prevent abuse outside of those components. 

I await anxiously the unbounded diatribe that is certain to result from
this assessment of the difficulty in detection of sniffers, but please
don't use the same sorts of abusive language or insults that you have
been throwing around so freely before asking legitimate questions.  Just
because you don't know how, doesn't make it impossible.

\Management  /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
 \        /\/   | Check out info-security heaven and test your system
  \/\  /\/      | for known vulnerabilities (1st time for free) at URL:
     \/Analytics| (scans deeper than SATAN or ISS)  http://all.net:8080
   ASIS "Security Management" Articles and Information On-Line
   Read "Protection and Security on the Information Superhighway"
   John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]