Detect sniffing ?

Detect sniffing ?

Post by Ted Stabero » Wed, 14 Oct 1998 04:00:00



Hi Trevor,

    In a shared media networking environment all network interfaces
'hear' all the traffic on the segment.  Normally, network interfaces
ignore packets that are addressed to other machines.  Sniffing software
switches a network interface into a mode called 'promiscuous mode'
where all packets are passed up the stack to be displayed or analyzed.
It is, as far I know, impossible to detect when an interface is in
promiscuous mode.

Ted Staberow
Prairie Networking, Inc.


> is there any way to detect if there is someone sniffing packets on a
> network ?

 
 
 

Detect sniffing ?

Post by Frank Keene » Wed, 14 Oct 1998 04:00:00


Nope.

> is there any way to detect if there is someone sniffing packets on a
> network ?


 
 
 

Detect sniffing ?

Post by trev.. » Thu, 15 Oct 1998 04:00:00


is there any way to detect if there is someone sniffing packets on a
network ?
 
 
 

Detect sniffing ?

Post by Phil DeBecke » Thu, 15 Oct 1998 04:00:00



> is there any way to detect if there is someone sniffing packets on a
> network ?

One way to detect sniffing, which may or may not work against all OSes,
is to trick the sniffer into responding to packets that don't really
belong to it.  You could, for example, send an ICMP ping to a suspected
sniffer's IP address, with an incorrect hardware address in the packet
header.  A host in promiscuous mode (ie sniffing) would respond to the
ping, whereas the packet would be rejected by a host whose ethernet
device is not in promiscuous mode.

One problem, though:  if the sniffer is really smart, they can check at
a software level for this sort of trick and defeat it (ie not respond).
The OS conceivably might do this for them also.

Phil

 
 
 

Detect sniffing ?

Post by Erik Vasaas » Thu, 15 Oct 1998 04:00:00



>is there any way to detect if there is someone sniffing packets on a
>network ?

Usually no, but fetch neped.c from ftp://apostols.org, it might be what you're
looking for. It only claims to detect linux computes in promiscious mode
thought.

Queso, which you can get from the same place is also fairly cool..

Erik

--

Note that I get email at icl.no, not lcl.no.

 
 
 

Detect sniffing ?

Post by Steve's Accou » Tue, 20 Oct 1998 04:00:00





>> is there any way to detect if there is someone sniffing packets on a
>> network ?

Then there is the social engineering method... put some fake traffic on the
net logging in to a honey pot account.. when the siffer uses it.. you've got
em!

Steve