Wireshark-users: Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sat, 14 Oct 2006 00:28:34 +0200
Hans Nilsson wrote:
Hello, I recently read the document "Promiscuous node detection using
ARP packets" [1] about detecting network cards in promiscuous mode and
sniffers with custom-built ARP-packets. For example tools like Cain and
Abel [2] has that capability. But I was wondering if this actually works
against Wireshark?

When I do ifconfig my network card is not listed as being in promiscuous
mode but under options in Wireshark the card is in promiscuous mode and
I can receive all the traffic on my LAN. So is this not a problem
anymore since the NIC doesn't have to be manually set to promiscuous
mode, Wireshark can do that on it's own and therefore won't be detected
by the ARP-technique?

[1]
http://www.securityfriday.com/promiscuous_detection_01.pdf
[2]
http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm

First of all, on todays switched networks, the promiscuous mode has a lot less effect than it has on shared networks (e.g. ancient coax Ethernet) - using promiscuous mode will often have no effect (but this depends on your setup, see: http://wiki.wireshark.org/CaptureSetup/Ethernet).

Using promiscuous mode disables a hardware filter of the network interface. It's switched on/off by ifconfig or Wireshark (through libpcap/WinPcap) the same way, so it doesn't make *any difference* which software switched it.

Wireshark capture options won't show you the current state of the promisc. mode, but what it will use for capturing.

Regards, ULFL