Intrusion Detection Systems mailing list archives

Re: RE: detecting a sniffer remotely

From: mlists () gizmo kyrnet kg (CyberPsychotic)
Date: Sat, 16 Oct 1999 10:47:56 +0500 (KGT)



~ 
~ Does anyone knows if it's possible to detect remotely a sniffing host
~ (specially whithout knowing its IP or MAC address.
~ 

Most sniffer detectors based on bug(?) in IP stack implementation, which
makes host, which device(s) is running in promisc. mode recognize IP
packet, even if the mac address in ethernet frame doesn't match.
(otherwise such ethernet frame would get dropped earlier). 

if the box running sniffer has IP stack running, you could probably
detect it's ip address by generating various broadcasts, and listening to
what stuff has been transmitted over the wire. Once the IP address has
been learnt, you could deploy the scheme above..

Current thread:

Re: detecting a sniffer remotely seregon (Oct 01)
- <Possible follow-ups>
- RE: detecting a sniffer remotely Hunt, Charles (Oct 14)
  - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 14)
    - Re: detecting a sniffer remotely laurent van-cauwelaert (Oct 14)
    - Re: detecting a sniffer remotely Trevor Schroeder (Oct 14)
    - Re: RE: detecting a sniffer remotely CyberPsychotic (Oct 15)
    - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 15)
    - Re: RE: detecting a sniffer remotely Trevor Schroeder (Oct 16)
  - Re: RE: detecting a sniffer remotely CyberPsychotic (Oct 15)
    - Re: RE: detecting a sniffer remotely laurent van-cauwelaert (Oct 16)
- Re: RE: detecting a sniffer remotely Robert Graham (Oct 14)
- Re: RE: detecting a sniffer remotely Robert Graham (Oct 16)