Wireshark mailing list archives

Re: Wireshark in Network - Windows/Linux

From: Guy Harris <guy () alum mit edu>
Date: Tue, 9 Mar 2010 10:33:40 -0800


On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:

How to determine the presence of wireshark in a network ? Are there
any specific packet types exchanged while it is present in the network
so that it can be used to determine its presence in the network ? Any
specific tool to identify its presence in either Windows or Linux ?


There is no Wireshark-specific network protocol that it and only it uses.

If you do a Web search for

        detecting sniffers

you can find some techniques that, although not *guaranteed* to find programs that capture network packets, such as 
Wireshark (and tcpdump and snoop and Microsoft Network Monitor and NetScout Sniffer and WildPackets 
{Ether,Token,Airo,Omni}Peek and...), can sometimes detect those programs on a network.  For example:

        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html

says

        How to detect other sniffers on the network

        Detecting other sniffers on other machines is very difficult (and sometimes impossible). But detecting whether 
one of the Linux machines is doing the sniffing is possible.
        This can be done by exploiting a weakness in the TCP/IP stack implementation of Linux. 
        When Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its IP address even if the MAC 
address on that packet is wrong (the standard behavior is that packets containing wrong MAC address will not be 
answered because the network interface will drop them).
        Therefore, sending TCP/IP packets to all the IP addresses on the subnet, where the MAC address contains wrong 
information, will tell you which machines are Linux machines in promiscuous mode (the answer from those machines will 
be a RST packet)
While this is far from being a perfect method, it can help discover suspicious activity on a network.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 09)
- Re: Wireshark in Network - Windows/Linux Guy Harris (Mar 09)
  - Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 12)
    - Re: Wireshark in Network - Windows/Linux Hobbe (Mar 14)
    - Re: Wireshark in Network - Windows/Linux Ray Warren (Mar 15)
    - Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 15)
    - Re: Wireshark in Network - Windows/Linux Hobbe (Mar 16)
    - Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 16)
    - Re: Wireshark in Network - Windows/Linux Hobbe (Mar 18)
    - Re: Wireshark in Network - Windows/Linux ronnie sahlberg (Mar 18)
    - Re: Wireshark in Network - Windows/Linux Karthik Balaguru (Mar 20)
    - Re: Wireshark in Network - Windows/Linux bart sikkes (Mar 20)

(Thread continues...)