detecting sniffer

Printable View

04-28-2009, 12:37 AM
BlackMat

detecting sniffer

I've been playing around with wireshark on my setup and have a question which I am hoping someone can answer. I have one PC wired to the my router and two laptops connected via wireless. I am using one of my laptops to do some packet sniffing. Since the sniffer laptop is connected to the router, is there any way I can find out its sniffing the network?
04-28-2009, 01:17 AM
imported_cybrsnpr

send a ping from your wired PC to one of your non-sniffer laptops. But, chances are, your router is switched, so you won't see the ping.
04-28-2009, 01:51 AM
BlackMat

But how will that detect the sniffer?
04-28-2009, 01:58 AM
imported_cybrsnpr

you said you wanted to find out if it was sniffing. Sorry, I assumed you mean't "if it was sniffing properly".

There may be something out there that can remotely detect if a device is in promiscious mode, but generally speaking, you can't tell if a remote device is sniffing traffic or not. Maybe one of the other members knows of some technique or tool.
04-28-2009, 02:29 AM
opreat0r

You can also use snort to detect arp attacks

http://www.securityfriday.com/promis...tection_01.pdf
http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
04-28-2009, 02:31 AM
lakiw

I haven't played around with this myself so please take this with a grain of salt, but I've heard that...

"It is possible to detect network interfaces in promiscuous mode by sending requests (ICMP, ARP, etc) with destination IP address of a suspect machine and wrong destination MAC address. Network interfaces in promiscuous mode will pass this request and a suspect machine will reply (network interfaces in non-promiscuous mode will drop this packet)."

Make sure you use a destination MAC address that hasn't been seen on the network before, or the switch might re-route it. If it works, (or doesn't) please post in this thread again with your results since I would like to know if this is effective or not. Note, this will only work if you are in the same layer-2 network, (aka your packets are only being switched and not routed).
04-28-2009, 02:53 AM
streaker69

Quote:

Originally Posted by lakiw

I haven't played around with this myself so please take this with a grain of salt, but I've heard that...

"It is possible to detect network interfaces in promiscuous mode by sending requests (ICMP, ARP, etc) with destination IP address of a suspect machine and wrong destination MAC address. Network interfaces in promiscuous mode will pass this request and a suspect machine will reply (network interfaces in non-promiscuous mode will drop this packet)."

Make sure you use a destination MAC address that hasn't been seen on the network before, or the switch might re-route it. If it works, (or doesn't) please post in this thread again with your results since I would like to know if this is effective or not. Note, this will only work if you are in the same layer-2 network, (aka your packets are only being switched and not routed).

A properly configured IDS/IPS still wouldn't be detected by this method.

You do not need IP bound to an interface that Snort is monitoring. No IP, No response. That's 1 method.

A Tap that is configured to only monitoring inbound traffic, if you attempt to communicate on the interface that is monitoring, it has no path to send traffic back since the TX side is disconnected.