Re: Counter detect Network Sniffer

["Tace " <tace () lycos com>]

Hi,
    I think there are a few methods mentioned before that can "detect" the use of sniffer. Note that I used "detect", 
as the methods only can detect whether a machine is in promiscuous mode or not. (of course, I can set my network 
interface into promiscuous mode without starting a sniffer but only in rare cases, like eg, you are using Virtual 
switch function of Virtual PC, etc)
    I remembered 2 methods, the first one is more tedious, requiring you have control of the network. It involves 
introducing traffic noise into the network (to various machine) and measuring the latency and response of connections 
to all machines in the network. Machine in promiscuous mode will be lagging as it has to handle other packets not meant 
for it. (normally rejected at datalink layer if not meant for it).
    The second method is easier to perform, involving tricking the machine in promiscuous mode to respond. However, you 
need to be able to craft your own packet (use libnet i think). The idea is to set the MAC address of the packet to some 
address that does not belong to any of the maching in the network. Set the IP of the packet to reflect correctly the IP 
of the machine you are probing. Sent it into the network and it should respond, when it shouldn't... then you know it 
is in promiscuous mode...
    Next, is to detect if the machine in promiscuous mode is running a sniffer.... that I am not sure how to... 

    Of course, instead of rolling your own, you can always find some software already on the net that detects sniffer, 
like anti-sniffer etc...

    Hope this helps


--------- Original Message ---------

DATE: Thu, 19 Feb 2004 11:49:49
From: Bill Mok <billmok2002 () yahoo com hk>
To: focus-ids () securityfocus com
Cc: 

> Is there any method to detect one using sniffer, say
> ethereal, in the same network?
>
>
> _________________________________________________________
> ¥²±þ§Þ¡B¶¼ºq¡B¤p¬P¬P...
> ®öº©¹aÁn  ±¡¤ß³sô
> http://us.rd.yahoo.com/evt=22281/*http://ringtone.yahoo.com.hk/
>
> ---------------------------------------------------------------------------
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that integrates 
> six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
> ---------------------------------------------------------------------------


____________________________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------