Wireshark · Wireshark-users: Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets

[Ulf Lamping <ulf.lamping@xxxxxx>]

Hans Nilsson wrote:
> Hello, I recently read the document "Promiscuous node detection using
> ARP packets" [1] about detecting network cards in promiscuous mode and
> sniffers with custom-built ARP-packets. For example tools like Cain and
> Abel [2] has that capability. But I was wondering if this actually works
> against Wireshark?
>
> When I do ifconfig my network card is not listed as being in promiscuous
> mode but under options in Wireshark the card is in promiscuous mode and
> I can receive all the traffic on my LAN. So is this not a problem
> anymore since the NIC doesn't have to be manually set to promiscuous
> mode, Wireshark can do that on it's own and therefore won't be detected
> by the ARP-technique?
>
> [1]
> http://www.securityfriday.com/promiscuous_detection_01.pdf
> [2]
> http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
>   

First of all, on todays switched networks, the promiscuous mode has a 
lot less effect than it has on shared networks (e.g. ancient coax 
Ethernet) - using promiscuous mode will often have no effect (but this 
depends on your setup, see: 
http://wiki.wireshark.org/CaptureSetup/Ethernet).

Using promiscuous mode disables a hardware filter of the network 
interface. It's switched on/off by ifconfig or Wireshark (through 
libpcap/WinPcap) the same way, so it doesn't make *any difference* which 
software switched it.

Wireshark capture options won't show you the current state of the 
promisc. mode, but what it will use for capturing.

Regards, ULFL