IDS mailing list archives
Re: Counter detect Network Sniffer
From: Mike Frantzen <frantzen () nfr com>
Date: Mon, 1 Mar 2004 18:00:00 -0500
Is there any method to detect one using sniffer, say ethereal, in the same network?
I may as well jump in with a fun one. IEEE 802.x specifies flow control on the ethernet wire. When an ethernet card runs out of space on the FIFO, it will send out an 802.x PAUSE frame telling the sender to slow down. Some cards; like the ubiquitous Intel FXP; do this flow control automatically on silicon unless you diddle the right bits in an configuration command block. Just fill the wire with 64byte frames to a bogus MAC address. If the sniffer's machine can not keep up, he might give himself away with PAUSE frames. Spiffy huh? .mike frantzen@(nfr.com | cvs.openbsd.org | w4g.org) PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- Re: Counter detect Network Sniffer, (continued)
- Re: Counter detect Network Sniffer Tillman Hodgson (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 01)
- RE: [inbox] Re: Counter detect Network Sniffer Curt Purdy (Mar 01)
- Re: Counter detect Network Sniffer Tod Beardsley (Mar 02)
- RE: [inbox] Re: Counter detect Network Sniffer Rob Shein (Mar 02)
- Re: [inbox] Re: Counter detect Network Sniffer Thomas Ptacek (Mar 01)
- Re: Counter detect Network Sniffer Sandro Melo (Mar 02)