Re: RE: detecting a sniffer remotely

[robert_david_graham () yahoo com (Robert Graham)]

--- "Hunt, Charles" <chunt () ikon com> wrote:
> have you tried l0pht's antisniff product?
> ---
> Hi there,
>
> I've tried to detect a sniffer (ethernet card in PROMISCOUS)
> remotely whithout result.
>
> Does anyone knows if it's possible to detect remotely a sniffing host
> (specially whithout knowing its IP or MAC address.

AntiSniff has a small bag of tricks, but they are not very reliable -- it isn't
supposed to be. In the range of technologies, something like a packet filering
firewall is absolutely reliable, intrusion detection technology is somewhat
reliable, but detecting sniffers is very hit or miss. If it doesn't work, there
are a huge numbers of variables that would affect why.

Yes, it is possible detect a remotely sniffing host with knowing it's IP
address or MAC address. Send out a ping to an IP address, then sniff yourself
to see if anybody does a reverse lookup on it. That is one of the many tricks
in AntiSniff's bag-o-tricks, but of course lots of sniffers don't do
reverse-DNS lookups; some wait until a user actually does a protocol decode on
the contents, which may be months later.

You might consider the little "sniffer detection guide" at:
http://www.robertgraham.com/pubs/sniffing-faq.html#detect

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com