RE: A Solution for sniffing

[Jason Kohles <jkohles () redhat com>]

On Thu, 2002-12-19 at 12:25, Jose Avila III wrote:
> Now i know there are hardware devices that you can plug into that will allow
> you not to be detected.  What these maily doo is remove the 2 TX wires in
> the CAT5 cable from the solution... These are looped back as to not cause a
> hardware conflict... The Sniffer is now incapeable of transmitting and is
> hence undetectible.  Correct me if i am wrong but that is what i have been
> come to believe so far
The general technique for detecting promiscuous cards is to send some
traffic that no machines on the network would normally see, that tricks
them into responding, then you know that any machine that responds to it
is likely seeing all the network traffic, instead of just it's own. 
Using receive-only hardware prevents the response from going out if the
trick is successful, but there are also a lot of operating systems that
are not easily tricked to begin with, and won't respond even without
special hardware.

> --Jose
>
> -----Original Message-----
> From: wbjw () mindspring com [mailto:wbjw () mindspring com]
> Sent: Wednesday, December 18, 2002 11:03 AM
> To: Bruce.Orcutt () alltel com
> Cc: fadi () lebrocks com; security-basics () securityfocus com
> Subject: RE: A Solution for sniffing
>
>
> There ARE ways to detect sniffing, but not necessarily completely reliable.
> Sniffing places the network device into promiscous (SP?) mode.  The old
> l0pht
> had a antisniff which @Stake still offers.  Other tools may exist as well
> which detect sniffing.
>
> On Tue, 17 Dec 2002 12:19:23 -0500 Bruce.Orcutt () alltel com wrote:
>
> > As sniffing is a passive act, there is no way
> > that you can detect the act itself, unless you
> > have access to the machine that's doing the
> > possible sniffing itself.
> >
> > Perhaps one of the simplest ways to ensure
> > sniffing is made much more difficult at the
> > least is by switching from a hub type network
> > to a switched network.  In a switched
> > environment, other users cannot see each others
> > network streams, thus providing a layer of
> > protection.
> >
> > Of course, like all techniques, this can be
> > gotten around by various additional techniques,
> > but it does make life more difficult to would
> > be sniffers. (ie: user installs a hub via an
> > uplink port to switched segment, and connects
> > target's system and a sniffing machine to the
> > hub.)
> >
> >
> >
> > -----Original Message-----
> > From: fadi () lebrocks com
> > [mailto:fadi () lebrocks com]
> > Sent: Tuesday, December 17, 2002 5:41 AM
> > To: security-basics () securityfocus com
> > Subject: A Solution for sniffing
> >
> >
> >
> > Hello Folks,
> > I think i am being sniffed by somone on my
> > network, and i was wondering. is
> > there an application to check wether i am being
> > sniffed or not, and if i
> > was, how can i fix that ?(like PGP for mail,
> > what about other protocols)
> >
> > P.S. : Running Linux Slackware 8.1 (if that
> > would help)
> >
> > cheers,
> > Fadi R. Khouja
-- 
Jason Kohles                                 jkohles () redhat com
Senior Engineer                 Red Hat Professional Consulting