Security Incidents mailing list archives
Re: Sniffer on my network
From: Sandro Gauci <Sandro () GFI COM>
Date: Tue, 22 Aug 2000 09:47:27 +0200
Languard is using ARP packets to identify sniffers on the network. For identification of these packets Languard is using IP SRC address 13.10.15.10 in ARP packet. This shouldn't effect TCP/IP connections OR ARP cache table when network card is in promiscuous mode. It is probably some mis-configuration. You should reinstall / update network card drivers on the machine listed as in promiscuous mode. Regards, Obs. -----Original Message----- From: Eduardo Cruz [mailto:eduardo.cruz () TS-G COM] Sent: Friday, August 18, 2000 10:15 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Sniffer on my network the fact that ur LANGUARD has detected that your workstation has a sniffer is not correct at all, that program has detected the ethernet of that workstation is in promiscuous mode, a sniffer has to put the ethernet in that state yes, but many tools for detect scans and etc.. do that as well good luck ----- Original Message ----- From: Computer Vegetable <CompuVeg () COLUMBUS RR COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, August 16, 2000 3:36 PM Subject: Sniffer on my network
At my office I've recently installed a network monitoring package called LanGuard. One of the things this tool does is find network sniffers on
your
network. I didn't expect to see any, but as it turns out one of our workstations is showing up as a sniffer. I am unable to find any processes running on the machine with
unidentifiable
sources. I'm also unable to find any known Trojans or other viruses on
that
machine. The only odd thing that I have found is that anytime a network cable is plugged into the workstation in question, the address 13.10.15.10 shows up IMMEDIATELY in the ARP. Has anyone seen anything like this? ARIN says the address is owned by
Xerox
PARC, who's admin says that IP is theirs, but not currently in use. Thanks
Current thread:
- Sniffer on my network Computer Vegetable (Aug 18)
- Re: Sniffer on my network Eduardo Cruz (Aug 18)
- <Possible follow-ups>
- Re: Sniffer on my network Sandro Gauci (Aug 22)