Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Viability of detecting Wireshark with ARP-packets

From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Mon, 16 Oct 2006 10:25:11 -1100
Ok, here are the results. I scanned a box running Linux 2.6.X with
different NIC and Wireshark settings using Cain & Abel from a box
running Windows XP SP2. 
_________________________________________________________________________B31________B16______B8_______Gr_______M0_______M1_______M3
Wireshark_Off_-_NIC_Normal_mode___________________________________________0_________0________0________0________0________X________X
Wireshark_Off_-_NIC_Promiscuous_mode______________________________________X_________X________X________X________X________X________X
Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_not_set_in_Options______0_________0________0________0________0________X________X
Wireshark_On_-_NIC_Normal_mode_-_Promiscuous_mode_set_in_Options__________X_________X________X________X________X________X________X
Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_not_set_in_Options_X_________X________X________X________X________X________X
Wireshark_On_-_NIC_Promiscuous_mode_-_Promiscuous_mode_set_in_Options_____X_________X________X________X________X________X________X

If the formatting's screwed up, here's an image:
http://i9.tinypic.com/2dhwbpc.png

X = Got ARP Reply
0 = Did not get ARP Reply
B31 = ARP destination FF:FF:FF:FF:FF:FE
B16 = ARP destination FF:FF:00:00:00:00
B8  = ARP destination FF:00:00:00:00:00
Gr  = ARP destination 01:00:00:00:00:00
M0  = ARP destination 01:00:5e:00:00:00
M1  = ARP destination 01:00:5e:00:00:01
M3  = ARP destination 01:00:5e:00:00:03

Read the PDF from my previous post for more clarification:
http://www.securityfriday.com/promiscuous_detection_01.pdf

So apparently you can quite easily detect if someone's running Wireshark
on your network. (Assuming they haven't set up special rules to not
reply to these revealing ARP-packets or something like that.)


On Fri, 13 Oct 2006 07:19:17 -1100, "Hans Nilsson" <hasse_gg@xxxxxxxx>
said:
> Hello, I recently read the document "Promiscuous node detection using
> ARP packets" [1] about detecting network cards in promiscuous mode and
> sniffers with custom-built ARP-packets. For example tools like Cain and
> Abel [2] has that capability. But I was wondering if this actually works
> against Wireshark?
> 
> When I do ifconfig my network card is not listed as being in promiscuous
> mode but under options in Wireshark the card is in promiscuous mode and
> I can receive all the traffic on my LAN. So is this not a problem
> anymore since the NIC doesn't have to be manually set to promiscuous
> mode, Wireshark can do that on it's own and therefore won't be detected
> by the ARP-technique?
> 
> [1]
> http://www.securityfriday.com/promiscuous_detection_01.pdf
> [2]
> http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
> -- 
>   Hans Nilsson
>   hasse_gg@xxxxxxxx
> 
> -- 
> http://www.fastmail.fm - A fast, anti-spam email service.
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - Same, same, but different