Wireshark-users: Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets
From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Fri, 13 Oct 2006 11:38:57 -1100
Ok, thanks for the information both of you. I think I'll have to do some
testing to see what happens, trying some of the test packets in the PDF.
I can post my results here later.

On Fri, 13 Oct 2006 15:28:30 -0700, "Guy Harris" <guy@xxxxxxxxxxxx>
said:
> 
> On Oct 13, 2006, at 11:19 AM, Hans Nilsson wrote:
> 
> > Hello, I recently read the document "Promiscuous node detection using
> > ARP packets" [1] about detecting network cards in promiscuous mode and
> > sniffers with custom-built ARP-packets. For example tools like Cain  
> > and
> > Abel [2] has that capability. But I was wondering if this actually  
> > works
> > against Wireshark?
> >
> > When I do ifconfig my network card is not listed as being in  
> > promiscuous
> > mode but under options in Wireshark the card is in promiscuous mode  
> > and
> > I can receive all the traffic on my LAN.
> 
> Ifconfig does not necessarily report whether a device is really in  
> promiscuous mode.  For example, on Linux, as I remember, in Linux 2.2  
> and later there's a promiscuous mode flag that can be set and cleared  
> with ifconfig and the ioctls ifconfig uses, and another promiscuous  
> mode flag that's set and cleared with different ioctls and that's not  
> available to ifconfig.
> 
> Libpcap's used the latter flag for quite a while.
> 
> > So is this not a problem
> > anymore since the NIC doesn't have to be manually set to promiscuous
> > mode, Wireshark can do that on it's own
> 
> Wireshark has always put the card into promiscuous mode by calling  
> libpcap; you never had to do it from the command line.
> 
> > and therefore won't be detected by the ARP-technique?
> 
> The ARP technique depends on packets received by virtue of being in  
> promiscuous mode (i.e., packets that the network adapter would not  
> have supplied to the host if the adapter hadn't been in promiscuous  
> mode) being supplied not only to whatever mechanism is used by sniffer  
> applications but also to the main networking stack.
> 
> If that happens, the ARP technique might work; if so, it works if the  
> adapter is in promiscuous mode, regardless of how it's put into  
> promiscuous mode.
> 
> If that doesn't happen, the ARP technique wouldn't work.
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own