wireshark-users March 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] Wireshark in Network - Wi

Re: [Wireshark-users] Wireshark in Network - Windows/Linux

From: Hobbe <my1listmail_at_nospam>
Date: Tue Mar 16 2010 - 10:07:04 GMT
To: Community support list for Wireshark <wireshark-users@wireshark.org>

Hi
None of them supports detecting a sniffer, they all detect that the network
card is in promiscous mode.
That a network card is in promiscous mode only means that there is a chance
of that machine could be used as a sniffer, but it is not the same as it is
a sniffer device.

To find sniffers and such you would have to run a software inventory program
that checks out what software does exist in the machines.
Then you can say: "ok we have found sniffer software on the machines".

The different tools do different things so do a search for them and se wich
one/ones would help you find out what you want.

HTH
Hobbe

2010/3/16 Karthik Balaguru <karthikbalaguru79@gmail.com>

> On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail@gmail.com> wrote:
> > As far as i know there is no way to detect a sniffer in a network,
> however
> > there are some ways that can detect network cards in promiscuous mode,
> tools
> > for this could be antisniff, neped, promgryui, sniffer-detect and so on.
> > They all do NOT detect a sniffer "per se", they detect that a network
> card
> > is in promiscuous mode wich is a strong indicator that there is a
> sniffer.
>
> Thx for your reply.
> antisniff, neped, promgryui, sniffer-detect - Do they support
> detection of sniffer
> in both windows and linux ? Thought of checking it with you before actually
> going in for analyzing those. Any ideas ?
>
> > This does not however show the sniffers used with SPAN or RSPAN ports in
> > switches since those ports are shutdown for outgoing traffic from the
> > sniffer and only mirrors the traffic on the ports choosen.
> >
> > HTH
> > Hobbe
> >
> > 2010/3/13 Karthik Balaguru <karthikbalaguru79@gmail.com>
> >>
> >> On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy@alum.mit.edu> wrote:
> >> >
> >> > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
> >> >
> >> >> How to determine the presence of wireshark in a network ? Are there
> >> >> any specific packet types exchanged while it is present in the
> network
> >> >> so that it can be used to determine its presence in the network ? Any
> >> >> specific tool to identify its presence in either Windows or Linux ?
> >> >
> >> > There is no Wireshark-specific network protocol that it and only it
> >> > uses.
> >> >
> >> > If you do a Web search for
> >> >
> >> > detecting sniffers
> >> >
> >> > you can find some techniques that, although not *guaranteed* to find
> >> > programs that capture network packets, such as Wireshark (and tcpdump
> and
> >> > snoop and Microsoft Network Monitor and NetScout Sniffer and
> WildPackets
> >> > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those
> programs on
> >> > a network. For example:
> >> >
> >> > http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
> >> >
> >> > says
> >> >
> >> > How to detect other sniffers on the network
> >> >
> >> > Detecting other sniffers on other machines is very difficult
> (and
> >> > sometimes impossible). But detecting whether one of the Linux machines
> is
> >> > doing the sniffing is possible.
> >> > This can be done by exploiting a weakness in the TCP/IP stack
> >> > implementation of Linux.
> >> > When Linux is in promiscuous mode, it will answer to TCP/IP
> >> > packets sent to its IP address even if the MAC address on that packet
> is
> >> > wrong (the standard behavior is that packets containing wrong MAC
> address
> >> > will not be answered because the network interface will drop them).
> >>
> >> Interesting to know that Linux TCP/IP stack implementation answers to
> >> TCP/IP packets even if the MAC address on that packet is
> >> wrong(Promiscuous mode). But, Is this made intentionally in Linux to
> >> be different from standard behavior in helping the determination of
> >> presence of sniffer in network ? Any thoughts ?
> >>
> >> > Therefore, sending TCP/IP packets to all the IP addresses on
> the
> >> > subnet, where the MAC address contains wrong information, will tell
> you
> >> > which machines are Linux machines in promiscuous mode (the answer from
> those
> >> > machines will be a RST packet)
> >> > While this is far from being a perfect method, it can help discover
> >> > suspicious activity on a network.
> >> >
> >>
> >> Thx in advans,
> >> Karthik Balaguru
> >>
> >>
> ___________________________________________________________________________
> >> Sent via: Wireshark-users mailing list <
> wireshark-users@wireshark.org>
> >> Archives: http://www.wireshark.org/lists/wireshark-users
> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >>
> >> mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
> >
> >
> >
> ___________________________________________________________________________
> > Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org
> >
> > Archives: http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > mailto:wireshark-users-request@wireshark.org
> ?subject=unsubscribe
> >
>
> Thx in advans,
> Karthik Balaguru
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org
> ?subject=unsubscribe
>

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe