Re: Sniffer on my network

[Sandro Gauci <Sandro () GFI COM>]

Languard is using ARP packets to identify sniffers on the network. For
identification of these packets Languard is using IP SRC address 13.10.15.10
in ARP packet. This shouldn't effect TCP/IP connections OR ARP cache table
when network card is in promiscuous mode.

It is probably some mis-configuration. You should reinstall / update network
card drivers on the machine listed as in promiscuous mode.


Regards,

Obs.


-----Original Message-----
From: Eduardo Cruz [mailto:eduardo.cruz () TS-G COM]
Sent: Friday, August 18, 2000 10:15 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Sniffer on my network


the fact that ur LANGUARD has detected that your workstation has a sniffer
is not correct at all, that program has detected the ethernet of that
workstation
is in promiscuous mode, a sniffer has to put the ethernet in that state yes,
but
many tools for detect scans and etc.. do that as well

good luck

----- Original Message -----
From: Computer Vegetable <CompuVeg () COLUMBUS RR COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, August 16, 2000 3:36 PM
Subject: Sniffer on my network


> At my office I've recently installed a network monitoring package called
> LanGuard.  One of the things this tool does is find network sniffers on
your
> network.  I didn't expect to see any, but as it turns out one of our
> workstations is showing up as a sniffer.
>
> I am unable to find any processes running on the machine with
unidentifiable
> sources.  I'm also unable to find any known Trojans or other viruses on
that
> machine.  The only odd thing that I have found is that anytime a network
> cable is plugged into the workstation in question, the address 13.10.15.10
> shows up IMMEDIATELY in the ARP.
>
> Has anyone seen anything like this?  ARIN says the address is owned by
Xerox
> PARC, who's admin says that IP is theirs, but not currently in use.
>
> Thanks