Results 1 to 7 of 7

Thread: detecting sniffer

  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    26

    Default detecting sniffer

    I've been playing around with wireshark on my setup and have a question which I am hoping someone can answer. I have one PC wired to the my router and two laptops connected via wireless. I am using one of my laptops to do some packet sniffing. Since the sniffer laptop is connected to the router, is there any way I can find out its sniffing the network?

  2. #2

    Default

    send a ping from your wired PC to one of your non-sniffer laptops. But, chances are, your router is switched, so you won't see the ping.

  3. #3
    Junior Member
    Join Date
    Jan 2009
    Posts
    26

    Default

    But how will that detect the sniffer?

  4. #4

    Default

    you said you wanted to find out if it was sniffing. Sorry, I assumed you mean't "if it was sniffing properly".

    There may be something out there that can remotely detect if a device is in promiscious mode, but generally speaking, you can't tell if a remote device is sniffing traffic or not. Maybe one of the other members knows of some technique or tool.

  5. #5
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

  6. #6
    Junior Member
    Join Date
    Mar 2006
    Posts
    28

    Default

    I haven't played around with this myself so please take this with a grain of salt, but I've heard that...

    "It is possible to detect network interfaces in promiscuous mode by sending requests (ICMP, ARP, etc) with destination IP address of a suspect machine and wrong destination MAC address. Network interfaces in promiscuous mode will pass this request and a suspect machine will reply (network interfaces in non-promiscuous mode will drop this packet)."

    Make sure you use a destination MAC address that hasn't been seen on the network before, or the switch might re-route it. If it works, (or doesn't) please post in this thread again with your results since I would like to know if this is effective or not. Note, this will only work if you are in the same layer-2 network, (aka your packets are only being switched and not routed).

  7. #7
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by lakiw View Post
    I haven't played around with this myself so please take this with a grain of salt, but I've heard that...

    "It is possible to detect network interfaces in promiscuous mode by sending requests (ICMP, ARP, etc) with destination IP address of a suspect machine and wrong destination MAC address. Network interfaces in promiscuous mode will pass this request and a suspect machine will reply (network interfaces in non-promiscuous mode will drop this packet)."

    Make sure you use a destination MAC address that hasn't been seen on the network before, or the switch might re-route it. If it works, (or doesn't) please post in this thread again with your results since I would like to know if this is effective or not. Note, this will only work if you are in the same layer-2 network, (aka your packets are only being switched and not routed).
    A properly configured IDS/IPS still wouldn't be detected by this method.

    You do not need IP bound to an interface that Snort is monitoring. No IP, No response. That's 1 method.

    A Tap that is configured to only monitoring inbound traffic, if you attempt to communicate on the interface that is monitoring, it has no path to send traffic back since the TX side is disconnected.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •