Intrusion Detection Systems mailing list archives

Re: RE: detecting a sniffer remotely

From: Laurent.Van-Cauwelaert () epita fr (laurent van-cauwelaert)
Date: Sat, 16 Oct 1999 22:18:11 +0000 (GMT)

Most sniffer detectors based on bug(?) in IP stack implementation, which
makes host, which device(s) is running in promisc. mode recognize IP
packet, even if the mac address in ethernet frame doesn't match.
(otherwise such ethernet frame would get dropped earlier).


After few test:
It seems that NetBSD 1.4.1 is affected by this "bug".
Linux slackware 4 isn't.

Current thread:

Re: detecting a sniffer remotely seregon (Oct 01)
- <Possible follow-ups>
- RE: detecting a sniffer remotely Hunt, Charles (Oct 14)
  - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 14)
    - Re: detecting a sniffer remotely laurent van-cauwelaert (Oct 14)
    - Re: detecting a sniffer remotely Trevor Schroeder (Oct 14)
    - Re: RE: detecting a sniffer remotely CyberPsychotic (Oct 15)
    - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 15)
    - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 16)
  - Re: RE: detecting a sniffer remotely CyberPsychotic (Oct 15)
    - Re: RE: detecting a sniffer remotely laurent van-cauwelaert (Oct 16)
- Re: RE: detecting a sniffer remotely Robert Graham (Oct 14)
- Re: RE: detecting a sniffer remotely Robert Graham (Oct 16)