Re: Counter detect Network Sniffer

[Chris Caydes <chris_caydes () yahoo com>]

Hello Bill,

In order to capture the entire traffic passing on a
network segment, the sniffer needs to be put in
promiscuous mode.

One thing that should work to detect if a particular
NIC is configured in promiscuous mode on your network
segment is the following :
- determine the IP address and associated MAC address
of the suspected host, using ARP.
- send IP traffic to that node using its legitimate IP
address (for instance, ping) but forge the destination
MAC address to a different value than that of the
suspected node.
- if the node responds to that traffic despite the MAC
address being bogus, you can suspect the node to be in
promiscuous mode.

Note : if the target host runs a firewall, or if the
segment is on a switch instead of a hub, the trick
might not work. 

Disclaimer : I haven't tried this trick myself, i'm
just assuming it would work. Also, I read a similar
idea a long time ago, but don't remember where.

Regards,
Chris

--- Bill Mok <billmok2002 () yahoo com hk> wrote:
> Is there any method to detect one using sniffer, say
> ethereal, in the same network?


__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------