Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux
From: Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
Date: Tue, 16 Mar 2010 11:19:30 +0530
On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail@xxxxxxxxx> wrote:
> As far as i know there is no way to detect a sniffer in a network, however
> there are some ways that can detect network cards in promiscuous mode, tools
> for this could be antisniff, neped, promgryui, sniffer-detect and so on.
> They all do NOT detect a sniffer "per se", they detect that a network card
> is in promiscuous mode wich is a strong indicator that there is a sniffer.

Thx for your reply.
antisniff, neped, promgryui, sniffer-detect - Do they support
detection of sniffer
in both windows and linux ? Thought of checking it with you before actually
going in for analyzing those. Any ideas ?

> This does not however show the sniffers used with SPAN or RSPAN ports in
> switches since those ports are shutdown for outgoing traffic from the
> sniffer and only mirrors the traffic on the ports choosen.
>
> HTH
> Hobbe
>
> 2010/3/13 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
>>
>> On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>> >
>> > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
>> >
>> >> How to determine the presence of wireshark in a network ? Are there
>> >> any specific packet types exchanged while it is present in the network
>> >> so that it can be used to determine its presence in the network ? Any
>> >> specific tool to identify its presence in either Windows or Linux ?
>> >
>> > There is no Wireshark-specific network protocol that it and only it
>> > uses.
>> >
>> > If you do a Web search for
>> >
>> >        detecting sniffers
>> >
>> > you can find some techniques that, although not *guaranteed* to find
>> > programs that capture network packets, such as Wireshark (and tcpdump and
>> > snoop and Microsoft Network Monitor and NetScout Sniffer and WildPackets
>> > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those programs on
>> > a network.  For example:
>> >
>> >        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
>> >
>> > says
>> >
>> >        How to detect other sniffers on the network
>> >
>> >        Detecting other sniffers on other machines is very difficult (and
>> > sometimes impossible). But detecting whether one of the Linux machines is
>> > doing the sniffing is possible.
>> >        This can be done by exploiting a weakness in the TCP/IP stack
>> > implementation of Linux.
>> >        When Linux is in promiscuous mode, it will answer to TCP/IP
>> > packets sent to its IP address even if the MAC address on that packet is
>> > wrong (the standard behavior is that packets containing wrong MAC address
>> > will not be answered because the network interface will drop them).
>>
>> Interesting to know that Linux TCP/IP stack implementation answers to
>> TCP/IP packets even if the MAC address on that packet is
>> wrong(Promiscuous mode). But, Is this made intentionally in Linux to
>> be different from standard behavior in helping the determination of
>> presence of sniffer in network ? Any thoughts ?
>>
>> >        Therefore, sending TCP/IP packets to all the IP addresses on the
>> > subnet, where the MAC address contains wrong information, will tell you
>> > which machines are Linux machines in promiscuous mode (the answer from those
>> > machines will be a RST packet)
>> > While this is far from being a perfect method, it can help discover
>> > suspicious activity on a network.
>> >
>>
>> Thx in advans,
>> Karthik Balaguru
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>

Thx in advans,
Karthik Balaguru