Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux

From: Ray Warren <raywarren2@xxxxxxxxxxx>
Date: Sun, 14 Mar 2010 18:11:24 -0500
On Sun, Mar 14, 2010 at 12:15:34PM +0100, Hobbe wrote:
> As far as i know there is no way to detect a sniffer in a network, however
> there are some ways that can detect network cards in promiscuous mode, tools
> for this could be antisniff, neped, promgryui, sniffer-detect and so on.
> They all do NOT detect a sniffer "per se", they detect that a network card
> is in promiscuous mode wich is a strong indicator that there is a sniffer.
> 
> This does not however show the sniffers used with SPAN or RSPAN ports in
> switches since those ports are shutdown for outgoing traffic from the
> sniffer and only mirrors the traffic on the ports choosen.
> 
> HTH
> 
> Hobbe
> 
> 2010/3/13 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
> 
> > On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
> > >
> > > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
> > >
> > >> How to determine the presence of wireshark in a network ? Are there
> > >> any specific packet types exchanged while it is present in the network
> > >> so that it can be used to determine its presence in the network ? Any
> > >> specific tool to identify its presence in either Windows or Linux ?
> > >
> > > There is no Wireshark-specific network protocol that it and only it uses.
> > >
> > > If you do a Web search for
> > >
> > >        detecting sniffers
> > >
> > > you can find some techniques that, although not *guaranteed* to find
> > programs that capture network packets, such as Wireshark (and tcpdump and
> > snoop and Microsoft Network Monitor and NetScout Sniffer and WildPackets
> > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those programs on
> > a network.  For example:
> > >
> > >        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
> > >
> > > says
> > >
> > >        How to detect other sniffers on the network
> > >
> > >        Detecting other sniffers on other machines is very difficult (and
> > sometimes impossible). But detecting whether one of the Linux machines is
> > doing the sniffing is possible.
> > >        This can be done by exploiting a weakness in the TCP/IP stack
> > implementation of Linux.
> > >        When Linux is in promiscuous mode, it will answer to TCP/IP
 > > packets sent to its IP address even if the MAC address on that packet is
> > wrong (the standard behavior is that packets containing wrong MAC address
> > will not be answered because the network interface will drop them).
> >
> > Interesting to know that Linux TCP/IP stack implementation answers to
> > TCP/IP packets even if the MAC address on that packet is
> > wrong(Promiscuous mode). But, Is this made intentionally in Linux to
> > be different from standard behavior in helping the determination of
> > presence of sniffer in network ? Any thoughts ?
> >
> > >        Therefore, sending TCP/IP packets to all the IP addresses on the
> > subnet, where the MAC address contains wrong information, will tell you
> > which machines are Linux machines in promiscuous mode (the answer from those
> > machines will be a RST packet)
> > > While this is far from being a perfect method, it can help discover
> > suspicious activity on a network.
> > >
> >
> > Thx in advans,
> > Karthik Balaguru
> > ___________________________________________________________________________
you can detect activity but not listening