RE: Detecting Network Sniffers ???

["Amin Tora" <atora () EPLUS com>]

> > Can somebody guide me on detecting a sniffer on my network. can i 
> > still=20 detect a sniffer even if the computer running the sniffer has

> > disabled the=20 TCP/IP stack

> Just out of curiosity, how would someone be able to sniff if they
disabled the TCP/IP stack?  
> Are you saying that they'd capture all ethernet frames, and then parse
those apart?  If the 
> IP stack is disabled (and not replaced), then how would the IP packets
be parsed, or passed 
> up to the application layer?

Quick Comment on this: 

There are IDS systems that allow for this {i.e. ISS, Snort, etc..} and
there are also freeware kernel level drivers that replace the binding
and requirement for the OS TCP/IP and handle packets in raw format and
convert to readable data for the intended use...

The reason this works is that it doesn't rely on the TCP/IP stack,
rather the whole TCP/IP stack is 'replaced' for this purpose by it's own
"stack" that binds to the NIC.

See:

"3.1 How do I setup snort on a 'stealth' interface?" at
http://www.snort.org/docs/FAQ.txt
 This shows how to configure a stealth interface on {BSD,LINUX,WINx} for
SNORT

"Network Sensor Stealth Configuration", on pg. 157 at
http://documents.iss.net/literature/RealSecure/RS_NetSensor_IG_7.0.pdf 
This shows how to configure ISS RealSecure in Stealth mode where the
listening interface has no protocol stack bound to it.



Amin Tora, CISSP, CHSP
Security Consultant
ePlus Technology Inc.
13595 Dulles Technology Drive
Herndon, VA 20171
office: 703-793-1330
cell: 703-675-0738
web: http://www.eplustechnology.com
email: atora-at-eplus.com

**NOTICE**
------------------------------------------
THE INFORMATION CONTAINED IN THIS ELECTRONIC TRANSMISSION AND ANY
ATTACHMENTS HERETO IS CONSIDERED PROPRIETARY AND CONFIDENTIAL.
DISTRIBUTION OF THIS MATERIAL TO ANYONE OTHER THAN THE ADDRESSED IS
PROHIBITED. ANY DISCLOSURE, COPYING, DISTRIBUTION OR USE OF THE CONTENTS
OF THIS TRANSMISSION OR ANY ATTACHMENTS HERETO FOR ANY REASON OTHER THAN
THEIR INTENDED PURPOSE IS PROHIBITED. IF YOU HAVE RECEIVED THIS
TRANSMISSION IN ERROR, PLEASE CONTACT THE SENDER.
------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------