Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux
From: Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
Date: Tue, 16 Mar 2010 17:38:01 +0530
On Tue, Mar 16, 2010 at 3:37 PM, Hobbe <my1listmail@xxxxxxxxx> wrote: > Hi > None of them supports detecting a sniffer, they all detect that the network > card is in promiscous mode. :-( :-( > That a network card is in promiscous mode only means that there is a chance > of that machine could be used as a sniffer, but it is not the same as it is > a sniffer device. Okay ! But do these tools help in determination of the presence of a network card in promiscous mode w.r.t Windows also ? > To find sniffers and such you would have to run a software inventory program > that checks out what software does exist in the machines. > Then you can say: "ok we have found sniffer software on the machines". > The different tools do different things so do a search for them and se wich > one/ones would help you find out what you want. Karthik Balaguru > > 2010/3/16 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx> >> >> On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail@xxxxxxxxx> wrote: >> > As far as i know there is no way to detect a sniffer in a network, >> > however >> > there are some ways that can detect network cards in promiscuous mode, >> > tools >> > for this could be antisniff, neped, promgryui, sniffer-detect and so on. >> > They all do NOT detect a sniffer "per se", they detect that a network >> > card >> > is in promiscuous mode wich is a strong indicator that there is a >> > sniffer. >> >> Thx for your reply. >> antisniff, neped, promgryui, sniffer-detect - Do they support >> detection of sniffer >> in both windows and linux ? Thought of checking it with you before >> actually >> going in for analyzing those. Any ideas ? >> >> > This does not however show the sniffers used with SPAN or RSPAN ports in >> > switches since those ports are shutdown for outgoing traffic from the >> > sniffer and only mirrors the traffic on the ports choosen. >> > >> > HTH >> > Hobbe >> > >> > 2010/3/13 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx> >> >> >> >> On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote: >> >> > >> >> > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote: >> >> > >> >> >> How to determine the presence of wireshark in a network ? Are there >> >> >> any specific packet types exchanged while it is present in the >> >> >> network >> >> >> so that it can be used to determine its presence in the network ? >> >> >> Any >> >> >> specific tool to identify its presence in either Windows or Linux ? >> >> > >> >> > There is no Wireshark-specific network protocol that it and only it >> >> > uses. >> >> > >> >> > If you do a Web search for >> >> > >> >> > detecting sniffers >> >> > >> >> > you can find some techniques that, although not *guaranteed* to find >> >> > programs that capture network packets, such as Wireshark (and tcpdump >> >> > and >> >> > snoop and Microsoft Network Monitor and NetScout Sniffer and >> >> > WildPackets >> >> > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those >> >> > programs on >> >> > a network. For example: >> >> > >> >> > http://www.securiteam.com/unixfocus/2EUQ8QAQME.html >> >> > >> >> > says >> >> > >> >> > How to detect other sniffers on the network >> >> > >> >> > Detecting other sniffers on other machines is very difficult >> >> > (and >> >> > sometimes impossible). But detecting whether one of the Linux >> >> > machines is >> >> > doing the sniffing is possible. >> >> > This can be done by exploiting a weakness in the TCP/IP stack >> >> > implementation of Linux. >> >> > When Linux is in promiscuous mode, it will answer to TCP/IP >> >> > packets sent to its IP address even if the MAC address on that packet >> >> > is >> >> > wrong (the standard behavior is that packets containing wrong MAC >> >> > address >> >> > will not be answered because the network interface will drop them). >> >> >> >> Interesting to know that Linux TCP/IP stack implementation answers to >> >> TCP/IP packets even if the MAC address on that packet is >> >> wrong(Promiscuous mode). But, Is this made intentionally in Linux to >> >> be different from standard behavior in helping the determination of >> >> presence of sniffer in network ? Any thoughts ? >> >> >> >> > Therefore, sending TCP/IP packets to all the IP addresses on >> >> > the >> >> > subnet, where the MAC address contains wrong information, will tell >> >> > you >> >> > which machines are Linux machines in promiscuous mode (the answer >> >> > from those >> >> > machines will be a RST packet) >> >> > While this is far from being a perfect method, it can help discover >> >> > suspicious activity on a network. >> >> > >> >> >> >> Thx in advans, >> >> Karthik Balaguru >> >> >> >> >> >> ___________________________________________________________________________ >> >> Sent via: Wireshark-users mailing list >> >> <wireshark-users@xxxxxxxxxxxxx> >> >> Archives: http://www.wireshark.org/lists/wireshark-users >> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> > >> > >> > >> > ___________________________________________________________________________ >> > Sent via: Wireshark-users mailing list >> > <wireshark-users@xxxxxxxxxxxxx> >> > Archives: http://www.wireshark.org/lists/wireshark-users >> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> > >> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >> > >> >> Thx in advans, >> Karthik Balaguru >> >> ___________________________________________________________________________ >> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> >> Archives: http://www.wireshark.org/lists/wireshark-users >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users >> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe > > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe >
- Follow-Ups:
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- From: Hobbe
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- From: ronnie sahlberg
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- References:
- [Wireshark-users] Wireshark in Network - Windows/Linux
- From: Karthik Balaguru
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- From: Guy Harris
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- From: Karthik Balaguru
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- From: Hobbe
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- From: Karthik Balaguru
- Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- From: Hobbe
- [Wireshark-users] Wireshark in Network - Windows/Linux
- Prev by Date: Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- Next by Date: [Wireshark-users] TShark Error
- Previous by thread: Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- Next by thread: Re: [Wireshark-users] Wireshark in Network - Windows/Linux
- Index(es):
- Get Wireshark
- Download
- Code of Conduct