Wireshark-users: Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
On Oct 13, 2006, at 11:19 AM, Hans Nilsson wrote:
Hello, I recently read the document "Promiscuous node detection using
ARP packets" [1] about detecting network cards in promiscuous mode and
sniffers with custom-built ARP-packets. For example tools like Cain
and
Abel [2] has that capability. But I was wondering if this actually
works
against Wireshark?
When I do ifconfig my network card is not listed as being in
promiscuous
mode but under options in Wireshark the card is in promiscuous mode
and
I can receive all the traffic on my LAN.
Ifconfig does not necessarily report whether a device is really in
promiscuous mode. For example, on Linux, as I remember, in Linux 2.2
and later there's a promiscuous mode flag that can be set and cleared
with ifconfig and the ioctls ifconfig uses, and another promiscuous
mode flag that's set and cleared with different ioctls and that's not
available to ifconfig.
Libpcap's used the latter flag for quite a while.
So is this not a problem
anymore since the NIC doesn't have to be manually set to promiscuous
mode, Wireshark can do that on it's own
Wireshark has always put the card into promiscuous mode by calling
libpcap; you never had to do it from the command line.
and therefore won't be detected by the ARP-technique?
The ARP technique depends on packets received by virtue of being in
promiscuous mode (i.e., packets that the network adapter would not
have supplied to the host if the adapter hadn't been in promiscuous
mode) being supplied not only to whatever mechanism is used by sniffer
applications but also to the main networking stack.
If that happens, the ARP technique might work; if so, it works if the
adapter is in promiscuous mode, regardless of how it's put into
promiscuous mode.
If that doesn't happen, the ARP technique wouldn't work.
