IDS mailing list archives
Re: Counter detect Network Sniffer
From: "M. Dodge Mumford" <dodge () nfr net>
Date: Fri, 20 Feb 2004 19:59:22 -0500
Bill Mok said:
Is there any method to detect one using sniffer, say ethereal, in the same network?
The most notable attempt I'm aware of was the l0pht's AntiSniff. It used a variety of methods, which included: - ping all the hosts on a local subnet, to get an idea of the average response times. Flood the network with garbage traffic, then ping again. Hosts whose response times varied were probably sniffing (due to increased cpu load) - Send packets from bizarre network addresses, and look for DNS PTR requests. - Attempt to exploit various kernel-layer issues (especially notable was a mistake in linux 2.0.x kernel where it would pass packets given certain mac/ip combinations) -- Dodge
Attachment:
_bin
Description:
Current thread:
- Counter detect Network Sniffer Bill Mok (Feb 20)
- Re: Counter detect Network Sniffer Jochen Bartl (Feb 23)
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 23)
- Message not available
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 24)
- RE: Counter detect Network Sniffer Fergus Brooks (Feb 25)
- Message not available
- Re: Counter detect Network Sniffer Raistlin (Feb 23)
- RE: Counter detect Network Sniffer Poulsennet Securityfocus (Feb 23)
- 答复: Counter detect Network Sniffer Peng Xuena (Feb 25)
- Re: Counter detect Network Sniffer Mike Hoskins (Feb 23)
- Re: Counter detect Network Sniffer Chris Caydes (Feb 23)
- Re: Counter detect Network Sniffer gatekeeper (Feb 24)
- Re: Counter detect Network Sniffer Pablo Scherer (Feb 24)
- <Possible follow-ups>
- Re: Counter detect Network Sniffer Tace (Feb 23)