Bugtraq mailing list archives

Re: detecting sniffers is downright easy

From: patrick () oes amdahl com (Patrick Horgan)
Date: Wed, 10 May 1995 07:48:35 +0800


The vast majority of real-world sniffers reported to date are software
sniffers of one of two varieties:

      1 - DOS programs using the network interface in promiscuous mode.
      2 - Unix programs modifying OS software to observe packets.

The total number of (1) programs in widespread use comes to only 10-20
and is certainly under 100.  Current virus scanning technology makes
detection of these cases trivial by simply adding patterns for them into


This is quite strange!  I've never heard of a trojan horse or virus-like
sniffer!  People just run the sniffer software.

your existing virus scanning software.  HOWEVER - since bugtraq is ONLY
concerned with Unix security holes, this is not relevant to this list
and should be taken elsewhere. 

All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique.  This has been widely published for
over 5 years.


Again, sniffer programs on unix don't modify system software, they just
run.  I think you're confused here.


Thus, not only is detection of all Unix-based real-world sniffers not
impossible or infeasible, it is downright easy and simple.


It can be, but not the way you're talking about.  And the original poster
of the thread asked how you can tell if a sniffer is running on your
network, not how to tell if your system software has been modified.
This is quite out there for one of your posts, you usually have
better knowledge of the field.  Makes me wonder if someone didn't 
forge mail from you, but looking at the headers everything seems ok.

Methinks you should just drop this thread, the longer it goes the 
stranger you look.

Patrick
   _______________________________________________________________________
  /  These opinions are mine, and not Amdahl's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Amdahl Corporation          \\    Have       |
 |  patrick () amdahl com        1250 East Arques Avenue      \\  _ Sword     | 
 |  Phone : (408)992-2779     P.O. Box 3470 M/S 316         \\/    Will    | 
 |  FAX   : (408)773-0833     Sunnyvale, CA 94088-3470     _/\\     Travel | 
  \___________________________O16-2294________________________\)__________/

Current thread:

Re: detecting sniffers is downright easy Patrick Horgan (May 09)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- <Possible follow-ups>
- Re: detecting sniffers is downright easy Caspar Arquint (May 10)
- Re: detecting sniffers is downright easy Eric Murray (May 12)
- Re: detecting sniffers is downright easy Julian Assange (May 14)