IDS mailing list archives
Re: Counter detect Network Sniffer
From: "gatekeeper" <gatekeeper () globenet com ph>
Date: Tue, 24 Feb 2004 15:23:59 +0800
Hi, It may also not work if sniffer was ran non-promiscuously (i.e. snoop -P)? Is there a way to detect such sniffers? Thanks. jun g. "hiding in plain sight" ----- Original Message ----- From: "Chris Caydes" <chris_caydes () yahoo com> To: <focus-ids () securityfocus com> Sent: Tuesday, February 24, 2004 6:05 AM Subject: Re: Counter detect Network Sniffer
Hello Bill, In order to capture the entire traffic passing on a network segment, the sniffer needs to be put in promiscuous mode. One thing that should work to detect if a particular NIC is configured in promiscuous mode on your network segment is the following : - determine the IP address and associated MAC address of the suspected host, using ARP. - send IP traffic to that node using its legitimate IP address (for instance, ping) but forge the destination MAC address to a different value than that of the suspected node. - if the node responds to that traffic despite the MAC address being bogus, you can suspect the node to be in promiscuous mode. Note : if the target host runs a firewall, or if the segment is on a switch instead of a hub, the trick might not work. Disclaimer : I haven't tried this trick myself, i'm just assuming it would work. Also, I read a similar idea a long time ago, but don't remember where. Regards, Chris --- Bill Mok <billmok2002 () yahoo com hk> wrote:Is there any method to detect one using sniffer, say ethereal, in the same network?__________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools --------------------------------------------------------------------------
-
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that
integrates
six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 --------------------------------------------------------------------------
-
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219 ---------------------------------------------------------------------------
Current thread:
- Counter detect Network Sniffer Bill Mok (Feb 20)
- Re: Counter detect Network Sniffer Jochen Bartl (Feb 23)
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 23)
- Message not available
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 24)
- RE: Counter detect Network Sniffer Fergus Brooks (Feb 25)
- Message not available
- Re: Counter detect Network Sniffer Raistlin (Feb 23)
- RE: Counter detect Network Sniffer Poulsennet Securityfocus (Feb 23)
- 答复: Counter detect Network Sniffer Peng Xuena (Feb 25)
- Re: Counter detect Network Sniffer Mike Hoskins (Feb 23)
- Re: Counter detect Network Sniffer Chris Caydes (Feb 23)
- Re: Counter detect Network Sniffer gatekeeper (Feb 24)
- Re: Counter detect Network Sniffer Pablo Scherer (Feb 24)
- <Possible follow-ups>
- Re: Counter detect Network Sniffer Tace (Feb 23)
- RE: Counter detect Network Sniffer Micheal Thompson (Feb 24)