Ok, here are the results. I scanned a box running Linux 2.6.X with
different NIC and Wireshark settings using Cain & Abel from a box
running Windows XP SP2.
_________________________________________________________________________B31________B16______B8_______Gr_______M0_______M1_______M3
Wireshark_Off_-_NIC_Normal_mode___________________________________________0_________0________0________0________0________X________X
Wireshark_Off_-_NIC_Promiscuous_mode______________________________________X_________X________X________X________X________X________X
Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options______0_________0________0________0________0________X________X
Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__________X_________X________X________X________X________X________X
Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_________X________X________X________X________X________X
Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_____X_________X________X________X________X________X________X
If the formatting's screwed up, here's an image:
http://i9.tinypic.com/2dhwbpc.png
X = Got ARP Reply
0 = Did not get ARP Reply
B31 = ARP destination FF:FF:FF:FF:FF:FE
B16 = ARP destination FF:FF:00:00:00:00
B8 = ARP destination FF:00:00:00:00:00
Gr = ARP destination 01:00:00:00:00:00
M0 = ARP destination 01:00:5e:00:00:00
M1 = ARP destination 01:00:5e:00:00:01
M3 = ARP destination 01:00:5e:00:00:03
Read the PDF from my previous post for more clarification:
http://www.securityfriday.com/promiscuous_detection_01.pdf
So apparently you can quite easily detect if someone's running Wireshark
on your network. (Assuming they haven't set up special rules to not
reply to these revealing ARP-packets or something like that.)
On Fri, 13 Oct 2006 07:19:17 -1100, "Hans Nilsson" <hasse_gg@xxxxxxxx>
said:
> Hello, I recently read the document "Promiscuous node detection using
> ARP packets" [1] about detecting network cards in promiscuous mode and
> sniffers with custom-built ARP-packets. For example tools like Cain and
> Abel [2] has that capability. But I was wondering if this actually works
> against Wireshark?
>
> When I do ifconfig my network card is not listed as being in promiscuous
> mode but under options in Wireshark the card is in promiscuous mode and
> I can receive all the traffic on my LAN. So is this not a problem
> anymore since the NIC doesn't have to be manually set to promiscuous
> mode, Wireshark can do that on it's own and therefore won't be detected
> by the ARP-technique?
>
> [1]
> http://www.securityfriday.com/promiscuous_detection_01.pdf
> [2]
> http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
> --
> Hans Nilsson
> hasse_gg@xxxxxxxx
>
> --
> http://www.fastmail.fm - A fast, anti-spam email service.
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
--
Hans Nilsson
hasse_gg@xxxxxxxx
--
http://www.fastmail.fm - Same, same, but different