Wireshark-users: Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
Ok, thanks for the information both of you. I think I'll have to do some
testing to see what happens, trying some of the test packets in the PDF.
I can post my results here later.
On Fri, 13 Oct 2006 15:28:30 -0700, "Guy Harris" <guy@xxxxxxxxxxxx>
said:
>
> On Oct 13, 2006, at 11:19 AM, Hans Nilsson wrote:
>
> > Hello, I recently read the document "Promiscuous node detection using
> > ARP packets" [1] about detecting network cards in promiscuous mode and
> > sniffers with custom-built ARP-packets. For example tools like Cain
> > and
> > Abel [2] has that capability. But I was wondering if this actually
> > works
> > against Wireshark?
> >
> > When I do ifconfig my network card is not listed as being in
> > promiscuous
> > mode but under options in Wireshark the card is in promiscuous mode
> > and
> > I can receive all the traffic on my LAN.
>
> Ifconfig does not necessarily report whether a device is really in
> promiscuous mode. For example, on Linux, as I remember, in Linux 2.2
> and later there's a promiscuous mode flag that can be set and cleared
> with ifconfig and the ioctls ifconfig uses, and another promiscuous
> mode flag that's set and cleared with different ioctls and that's not
> available to ifconfig.
>
> Libpcap's used the latter flag for quite a while.
>
> > So is this not a problem
> > anymore since the NIC doesn't have to be manually set to promiscuous
> > mode, Wireshark can do that on it's own
>
> Wireshark has always put the card into promiscuous mode by calling
> libpcap; you never had to do it from the command line.
>
> > and therefore won't be detected by the ARP-technique?
>
> The ARP technique depends on packets received by virtue of being in
> promiscuous mode (i.e., packets that the network adapter would not
> have supplied to the host if the adapter hadn't been in promiscuous
> mode) being supplied not only to whatever mechanism is used by sniffer
> applications but also to the main networking stack.
>
> If that happens, the ARP technique might work; if so, it works if the
> adapter is in promiscuous mode, regardless of how it's put into
> promiscuous mode.
>
> If that doesn't happen, the ARP technique wouldn't work.
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
--
Hans Nilsson
hasse_gg@xxxxxxxx
--
http://www.fastmail.fm - Choose from over 50 domains or use your own