Wireshark mailing list archives
Re: running wireshark on my network
From: Guy Harris <guy () alum mit edu>
Date: Thu, 17 Mar 2011 12:50:47 -0700
On Mar 14, 2011, at 2:55 PM, Semjon wrote:
But You could check if some nic on the subnet is in prominiscuous mode which is quite unusual unless You want to see all network traffic i.e sniffing. More info here: http://cns.tstc.edu/cpate/LINUX/Linux_How2/Sniffers.htm
The first two methods listed there for detecting sniffers assume that packets received promiscuously - i.e., packets that you would not have received had the adapter not been in promiscuous mode - are handled by the network stack in the same way that packets received non-promiscuously; is that the case in current operating systems? At least some of them purport to know how a packet was received - the Linux packet(7) man page: http://linux.die.net/man/7/packet says The sockaddr_ll is a device independent physical layer address. ... ...sll_pkttype contains the packet type. Valid types are PACKET_HOST for a packet addressed to the local host, PACKET_BROADCAST for a physical layer broadcast packet, PACKET_MULTICAST for a packet sent to a physical layer multicast address, PACKET_OTHERHOST for a packet to some other host that has been caught by a device driver in promiscuous mode, and PACKET_OUTGOING for a packet originated from the local host that is looped back to a packet socket. These types make only sense for receiving. and they might keep promiscuously received packets (PACKET_OTHERHOST, in sll_pkttype on Linux) from getting handed to any part of the networking stack other than the packet-sniffing part (taps in the Linux kernel, BPF in *BSD and Mac OS X, NDIS attachments with a "promiscuous" filter on Windows, etc.). The third only works if you're logged into the machine running the sniffer and the sniffer is running. The fourth ("Latency Method"; it's tagged as 7 because the numbered sublist in the third item isn't actually a sublist so its items count in the numbering scheme) doesn't seem to be unique to sniffers - all it detects is busy machines, maybe. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- running wireshark on my network Flavio Ferreira (Mar 14)
- Re: running wireshark on my network Bartosz Kiziukiewicz (Mar 14)
- Re: running wireshark on my network Steffen DETTMER (Mar 14)
- Re: running wireshark on my network M Holt (Mar 15)
- Re: running wireshark on my network Stephen Fisher (Mar 15)
- Re: running wireshark on my network Chris Maynard (Mar 15)
- Re: running wireshark on my network Martin Visser (Mar 15)
- Re: running wireshark on my network Gisle Vanem (Mar 15)
- Re: running wireshark on my network M Holt (Mar 15)
- Re: running wireshark on my network Stephen Fisher (Mar 15)
- Re: running wireshark on my network Semjon (Mar 17)
- Re: running wireshark on my network Guy Harris (Mar 17)
- <Possible follow-ups>
- Re: running wireshark on my network Paula Dufour (Mar 14)
- Socket read timeout Mohan Radhakrishnan (Mar 14)