Re: Detect Network Sniffing

[Eric Kollmann <xnih13 () gmail com>]

Try 2 in plain text format this time...

Shameless plug for an old program I wrote, windows only, needs
winpcap, hasn't been updated in 3 or more years:
http://myweb.cableone.net/xnih/download/sam.zip

It was actually designed to do OS fingerprinting by ARP packets,
though one of the side things I found was that I could detect systems
running in promiscous mode.

2 links I have in my notes for detecting systems in promiscous mode are here:
http://www.securityfriday.com/promiscuous_detection_01.pdf
http://www.nta-monitor.com/wiki/index.php/Arp-scan_User_Guide#Detecting_Promiscuous_Mode_Interfaces

Not sure if both are still good links and I'm too lazy to check right now.

So if you are on the same segment, by using ARP packets you can tell
if a system is in promisicous and can tell if it is windows or linux,
but as others have noted, this will only tell you about your current
network.

If there is a span port on the router or if your ISP is doing
something there really isn't any way you are going to be able to
detect this.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------