Hi,
results look consistent to me. No matter how the NIC is set to promiscuous
mode, the result is the same.
Thanx,
Jaap
On Mon, 16 Oct 2006, Hans Nilsson wrote:
> Ok, here are the results. I scanned a box running Linux 2.6.X with
> different NIC and Wireshark settings using Cain & Abel from a box
> running Windows XP SP2.
> _________________________________________________________________________B31________B16______B8_______Gr_______M0_______M1_______M3
> Wireshark_Off_-_NIC_Normal_mode___________________________________________0_________0________0________0________0________X________X
> Wireshark_Off_-_NIC_Promiscuous_mode______________________________________X_________X________X________X________X________X________X
> Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options______0_________0________0________0________0________X________X
> Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__________X_________X________X________X________X________X________X
> Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_________X________X________X________X________X________X
> Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_____X_________X________X________X________X________X________X
>
> If the formatting's screwed up, here's an image:
> http://i9.tinypic.com/2dhwbpc.png
>
> X = Got ARP Reply
> 0 = Did not get ARP Reply
> B31 = ARP destination FF:FF:FF:FF:FF:FE
> B16 = ARP destination FF:FF:00:00:00:00
> B8 = ARP destination FF:00:00:00:00:00
> Gr = ARP destination 01:00:00:00:00:00
> M0 = ARP destination 01:00:5e:00:00:00
> M1 = ARP destination 01:00:5e:00:00:01
> M3 = ARP destination 01:00:5e:00:00:03
>
> Read the PDF from my previous post for more clarification:
> http://www.securityfriday.com/promiscuous_detection_01.pdf
>
> So apparently you can quite easily detect if someone's running Wireshark
> on your network. (Assuming they haven't set up special rules to not
> reply to these revealing ARP-packets or something like that.)
>
>
> On Fri, 13 Oct 2006 07:19:17 -1100, "Hans Nilsson" <hasse_gg@xxxxxxxx>
> said:
> > Hello, I recently read the document "Promiscuous node detection using
> > ARP packets" [1] about detecting network cards in promiscuous mode and
> > sniffers with custom-built ARP-packets. For example tools like Cain and
> > Abel [2] has that capability. But I was wondering if this actually works
> > against Wireshark?
> >
> > When I do ifconfig my network card is not listed as being in promiscuous
> > mode but under options in Wireshark the card is in promiscuous mode and
> > I can receive all the traffic on my LAN. So is this not a problem
> > anymore since the NIC doesn't have to be manually set to promiscuous
> > mode, Wireshark can do that on it's own and therefore won't be detected
> > by the ARP-technique?
> >
> > [1]
> > http://www.securityfriday.com/promiscuous_detection_01.pdf
> > [2]
> > http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
> > --
> > Hans Nilsson
> > hasse_gg@xxxxxxxx
> >
> > --
> > http://www.fastmail.fm - A fast, anti-spam email service.
> >
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> --
> Hans Nilsson
> hasse_gg@xxxxxxxx
>
> --
> http://www.fastmail.fm - Same, same, but different??
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
