Wireshark-users: Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets

From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Tue, 17 Oct 2006 10:21:33 -1100
Yes the results are consistent. But what struck me is that it's
completely possible and quite easy to detect that someone on your
network is running Wireshark (or some other packet-sniffing tool).


On Tue, 17 Oct 2006 08:21:06 +0200 (CEST), "Jaap Keuter"
<jaap.keuter@xxxxxxxxx> said:
> Hi,
> 
> results look consistent to me. No matter how the NIC is set to
> promiscuous
> mode, the result is the same.
> 
> Thanx,
> Jaap
> 
> On Mon, 16 Oct 2006, Hans Nilsson wrote:
> 
> > Ok, here are the results. I scanned a box running Linux 2.6.X with
> > different NIC and Wireshark settings using Cain & Abel from a box
> > running Windows XP SP2.
> > _________________________________________________________________________B31________B16______B8_______Gr_______M0_______M1_______M3
> > Wireshark_Off_-_NIC_Normal_mode___________________________________________0_________0________0________0________0________X________X
> > Wireshark_Off_-_NIC_Promiscuous_mode______________________________________X_________X________X________X________X________X________X
> > Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options______0_________0________0________0________0________X________X
> > Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__________X_________X________X________X________X________X________X
> > Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_________X________X________X________X________X________X
> > Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_____X_________X________X________X________X________X________X
> >
> > If the formatting's screwed up, here's an image:
> > http://i9.tinypic.com/2dhwbpc.png
> >
> > X = Got ARP Reply
> > 0 = Did not get ARP Reply
> > B31 = ARP destination FF:FF:FF:FF:FF:FE
> > B16 = ARP destination FF:FF:00:00:00:00
> > B8  = ARP destination FF:00:00:00:00:00
> > Gr  = ARP destination 01:00:00:00:00:00
> > M0  = ARP destination 01:00:5e:00:00:00
> > M1  = ARP destination 01:00:5e:00:00:01
> > M3  = ARP destination 01:00:5e:00:00:03
> >
> > Read the PDF from my previous post for more clarification:
> > http://www.securityfriday.com/promiscuous_detection_01.pdf
> >
> > So apparently you can quite easily detect if someone's running Wireshark
> > on your network. (Assuming they haven't set up special rules to not
> > reply to these revealing ARP-packets or something like that.)
> >
> >
> > On Fri, 13 Oct 2006 07:19:17 -1100, "Hans Nilsson" <hasse_gg@xxxxxxxx>
> > said:
> > > Hello, I recently read the document "Promiscuous node detection using
> > > ARP packets" [1] about detecting network cards in promiscuous mode and
> > > sniffers with custom-built ARP-packets. For example tools like Cain and
> > > Abel [2] has that capability. But I was wondering if this actually works
> > > against Wireshark?
> > >
> > > When I do ifconfig my network card is not listed as being in promiscuous
> > > mode but under options in Wireshark the card is in promiscuous mode and
> > > I can receive all the traffic on my LAN. So is this not a problem
> > > anymore since the NIC doesn't have to be manually set to promiscuous
> > > mode, Wireshark can do that on it's own and therefore won't be detected
> > > by the ARP-technique?
> > >
> > > [1]
> > > http://www.securityfriday.com/promiscuous_detection_01.pdf
> > > [2]
> > > http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
> > > --
> > >   Hans Nilsson
> > >   hasse_gg@xxxxxxxx
> > >
> > > --
> > > http://www.fastmail.fm - A fast, anti-spam email service.
> > >
> > > _______________________________________________
> > > Wireshark-users mailing list
> > > Wireshark-users@xxxxxxxxxxxxx
> > > http://www.wireshark.org/mailman/listinfo/wireshark-users
> > --
> >   Hans Nilsson
> >   hasse_gg@xxxxxxxx
> >
> > --
> > http://www.fastmail.fm - Same, same, but different…
> >
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> >
> >
> 
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own