Bugtraq mailing list archives
Re: Detecting a sniffer
From: mcn () EnGarde com (Mike Neuman)
Date: Mon, 1 May 1995 12:49:43 -0500
From owner-bugtraq () fc net Mon May 1 11:36:08 1995
You can't "detect a sniffer" from looking at the net...
There are some tricks you can try. Although, they won't work in all cases. 1) rup hostx;generate tremendous amounts of TCP traffic;rup hostx again. If a sniffer is running, most likely the load will go up substancially to deal with the increased traffic. 2) Look for large amounts of name server queries. A telltale sign that tcpdump is running is dozens of requests in a short period of time for reverse lookups. As I said, these won't work in all cases, although the sniffers I've seen floating around in hackers' toolboxes these days will be detected by either of these techniques. -Mike mcn () EnGarde com En Garde Systems - Computer Security Software and Consulting
Current thread:
- info, (continued)
- info usmcgds1 () ibmmail COM (May 02)
- Re: Detecting a sniffer Rens Troost (May 02)
- Re: Detecting a sniffer Valdis.Kletnieks () vt edu (May 03)
- Re: Detecting a sniffer Bennett Todd (May 02)
- Re: Detecting a sniffer Dave Horsfall (May 02)
- Re: Detecting a sniffer Dave Barr (May 02)
- Re: Detecting a sniffer Dr. Frederick B. Cohen (May 02)
- Re: Detecting a sniffer Dave Horsfall (May 04)
- Re: Detecting a sniffer Perry E. Metzger (May 04)
- Re: Detecting a sniffer Dave Horsfall (May 04)
- Re: Detecting a sniffer Brett Lymn (May 03)
- Re: Detecting a sniffer Perry E. Metzger (May 04)
- pm speaks too soon Dr. Frederick B. Cohen (May 04)
- Re: pm speaks too soon Perry E. Metzger (May 04)
- Re: pm speaks too soon Jeffrey Russell Horner (May 04)
- Re: HP-UX Explotation/Repair/Info scripts Nathan Lawson (May 04)