IDS mailing list archives
Re: Counter detect Network Sniffer
From: "M. Dodge Mumford" <dodge () nfr net>
Date: Tue, 24 Feb 2004 10:05:27 -0500
Aditya, ALD [Aditya Lalit Deshmukh] said:
M. Dodge Mumford- Send packets from bizarre network addresses, and look for DNS PTR requests.how does this work ? guess i will have to look & search with google ...
Pretty simply, really. If you run tcpdump without the -n option, it attempts to resolve IP addresses into domain names. If you inject traffic from (say) 127.1.2.3 (or any other address you should _never_ see on a live network), and then if you see a DNS PTR request for it, you know the host that sent the PTR is sniffing traffic. -- Dodge
Attachment:
_bin
Description:
Current thread:
- Counter detect Network Sniffer Bill Mok (Feb 20)
- Re: Counter detect Network Sniffer Jochen Bartl (Feb 23)
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 23)
- Message not available
- Re: Counter detect Network Sniffer M. Dodge Mumford (Feb 24)
- RE: Counter detect Network Sniffer Fergus Brooks (Feb 25)
- Message not available
- Re: Counter detect Network Sniffer Raistlin (Feb 23)
- RE: Counter detect Network Sniffer Poulsennet Securityfocus (Feb 23)
- 答复: Counter detect Network Sniffer Peng Xuena (Feb 25)
- Re: Counter detect Network Sniffer Mike Hoskins (Feb 23)
- Re: Counter detect Network Sniffer Chris Caydes (Feb 23)
- Re: Counter detect Network Sniffer gatekeeper (Feb 24)
- Re: Counter detect Network Sniffer Pablo Scherer (Feb 24)
- <Possible follow-ups>
- Re: Counter detect Network Sniffer Tace (Feb 23)
- RE: Counter detect Network Sniffer Micheal Thompson (Feb 24)