Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux

From: Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
Date: Tue, 16 Mar 2010 17:38:01 +0530
On Tue, Mar 16, 2010 at 3:37 PM, Hobbe <my1listmail@xxxxxxxxx> wrote:
> Hi
> None of them supports detecting a sniffer, they all detect that the network
> card is in promiscous mode.

:-( :-(

> That a network card is in promiscous mode only means that there is a chance
> of that machine could be used as a sniffer, but it is not the same as it is
> a sniffer device.

Okay !
But do these tools help in determination of the presence of a network
card in promiscous mode w.r.t Windows also ?

> To find sniffers and such you would have to run a software inventory program
> that checks out what software does exist in the machines.
> Then you can say: "ok we have found sniffer software on the machines".
> The different tools do different things so do a search for them and se wich
> one/ones would help you find out what you want.

Karthik Balaguru


>
> 2010/3/16 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
>>
>> On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail@xxxxxxxxx> wrote:
>> > As far as i know there is no way to detect a sniffer in a network,
>> > however
>> > there are some ways that can detect network cards in promiscuous mode,
>> > tools
>> > for this could be antisniff, neped, promgryui, sniffer-detect and so on.
>> > They all do NOT detect a sniffer "per se", they detect that a network
>> > card
>> > is in promiscuous mode wich is a strong indicator that there is a
>> > sniffer.
>>
>> Thx for your reply.
>> antisniff, neped, promgryui, sniffer-detect - Do they support
>> detection of sniffer
>> in both windows and linux ? Thought of checking it with you before
>> actually
>> going in for analyzing those. Any ideas ?
>>
>> > This does not however show the sniffers used with SPAN or RSPAN ports in
>> > switches since those ports are shutdown for outgoing traffic from the
>> > sniffer and only mirrors the traffic on the ports choosen.
>> >
>> > HTH
>> > Hobbe
>> >
>> > 2010/3/13 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
>> >>
>> >> On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>> >> >
>> >> > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
>> >> >
>> >> >> How to determine the presence of wireshark in a network ? Are there
>> >> >> any specific packet types exchanged while it is present in the
>> >> >> network
>> >> >> so that it can be used to determine its presence in the network ?
>> >> >> Any
>> >> >> specific tool to identify its presence in either Windows or Linux ?
>> >> >
>> >> > There is no Wireshark-specific network protocol that it and only it
>> >> > uses.
>> >> >
>> >> > If you do a Web search for
>> >> >
>> >> >        detecting sniffers
>> >> >
>> >> > you can find some techniques that, although not *guaranteed* to find
>> >> > programs that capture network packets, such as Wireshark (and tcpdump
>> >> > and
>> >> > snoop and Microsoft Network Monitor and NetScout Sniffer and
>> >> > WildPackets
>> >> > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those
>> >> > programs on
>> >> > a network.  For example:
>> >> >
>> >> >        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
>> >> >
>> >> > says
>> >> >
>> >> >        How to detect other sniffers on the network
>> >> >
>> >> >        Detecting other sniffers on other machines is very difficult
>> >> > (and
>> >> > sometimes impossible). But detecting whether one of the Linux
>> >> > machines is
>> >> > doing the sniffing is possible.
>> >> >        This can be done by exploiting a weakness in the TCP/IP stack
>> >> > implementation of Linux.
>> >> >        When Linux is in promiscuous mode, it will answer to TCP/IP
>> >> > packets sent to its IP address even if the MAC address on that packet
>> >> > is
>> >> > wrong (the standard behavior is that packets containing wrong MAC
>> >> > address
>> >> > will not be answered because the network interface will drop them).
>> >>
>> >> Interesting to know that Linux TCP/IP stack implementation answers to
>> >> TCP/IP packets even if the MAC address on that packet is
>> >> wrong(Promiscuous mode). But, Is this made intentionally in Linux to
>> >> be different from standard behavior in helping the determination of
>> >> presence of sniffer in network ? Any thoughts ?
>> >>
>> >> >        Therefore, sending TCP/IP packets to all the IP addresses on
>> >> > the
>> >> > subnet, where the MAC address contains wrong information, will tell
>> >> > you
>> >> > which machines are Linux machines in promiscuous mode (the answer
>> >> > from those
>> >> > machines will be a RST packet)
>> >> > While this is far from being a perfect method, it can help discover
>> >> > suspicious activity on a network.
>> >> >
>> >>
>> >> Thx in advans,
>> >> Karthik Balaguru
>> >>
>> >>
>> >> ___________________________________________________________________________
>> >> Sent via:    Wireshark-users mailing list
>> >> <wireshark-users@xxxxxxxxxxxxx>
>> >> Archives:    http://www.wireshark.org/lists/wireshark-users
>> >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >>
>> >> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >
>> >
>> >
>> > ___________________________________________________________________________
>> > Sent via:    Wireshark-users mailing list
>> > <wireshark-users@xxxxxxxxxxxxx>
>> > Archives:    http://www.wireshark.org/lists/wireshark-users
>> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>> >
>> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>> >
>>
>> Thx in advans,
>> Karthik Balaguru
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>