Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Hobbe <my1listmail@xxxxxxxxx>
Date: Tue, 16 Mar 2010 11:07:04 +0100
Hi
None of them supports detecting a sniffer, they all detect that the network card is in promiscous mode.
That a network card is in promiscous mode only means that there is a chance of that machine could be used as a sniffer, but it is not the same as it is a sniffer device.

To find sniffers and such you would have to run a software inventory program that checks out what software does exist in the machines.
Then you can say: "ok we have found sniffer software on the machines".

The different tools do different things so do a search for them and se wich one/ones would help you find out what you want.

HTH
Hobbe


2010/3/16 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
On Sun, Mar 14, 2010 at 4:45 PM, Hobbe <my1listmail@xxxxxxxxx> wrote:
> As far as i know there is no way to detect a sniffer in a network, however
> there are some ways that can detect network cards in promiscuous mode, tools
> for this could be antisniff, neped, promgryui, sniffer-detect and so on.
> They all do NOT detect a sniffer "per se", they detect that a network card
> is in promiscuous mode wich is a strong indicator that there is a sniffer.

Thx for your reply.
antisniff, neped, promgryui, sniffer-detect - Do they support
detection of sniffer
in both windows and linux ? Thought of checking it with you before actually
going in for analyzing those. Any ideas ?

> This does not however show the sniffers used with SPAN or RSPAN ports in
> switches since those ports are shutdown for outgoing traffic from the
> sniffer and only mirrors the traffic on the ports choosen.
>
> HTH
> Hobbe
>
> 2010/3/13 Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
>>
>> On Wed, Mar 10, 2010 at 12:03 AM, Guy Harris <guy@xxxxxxxxxxxx> wrote:
>> >
>> > On Mar 9, 2010, at 8:35 AM, Karthik Balaguru wrote:
>> >
>> >> How to determine the presence of wireshark in a network ? Are there
>> >> any specific packet types exchanged while it is present in the network
>> >> so that it can be used to determine its presence in the network ? Any
>> >> specific tool to identify its presence in either Windows or Linux ?
>> >
>> > There is no Wireshark-specific network protocol that it and only it
>> > uses.
>> >
>> > If you do a Web search for
>> >
>> >        detecting sniffers
>> >
>> > you can find some techniques that, although not *guaranteed* to find
>> > programs that capture network packets, such as Wireshark (and tcpdump and
>> > snoop and Microsoft Network Monitor and NetScout Sniffer and WildPackets
>> > {Ether,Token,Airo,Omni}Peek and...), can sometimes detect those programs on
>> > a network.  For example:
>> >
>> >        http://www.securiteam.com/unixfocus/2EUQ8QAQME.html
>> >
>> > says
>> >
>> >        How to detect other sniffers on the network
>> >
>> >        Detecting other sniffers on other machines is very difficult (and
>> > sometimes impossible). But detecting whether one of the Linux machines is
>> > doing the sniffing is possible.
>> >        This can be done by exploiting a weakness in the TCP/IP stack
>> > implementation of Linux.
>> >        When Linux is in promiscuous mode, it will answer to TCP/IP
>> > packets sent to its IP address even if the MAC address on that packet is
>> > wrong (the standard behavior is that packets containing wrong MAC address
>> > will not be answered because the network interface will drop them).
>>
>> Interesting to know that Linux TCP/IP stack implementation answers to
>> TCP/IP packets even if the MAC address on that packet is
>> wrong(Promiscuous mode). But, Is this made intentionally in Linux to
>> be different from standard behavior in helping the determination of
>> presence of sniffer in network ? Any thoughts ?
>>
>> >        Therefore, sending TCP/IP packets to all the IP addresses on the
>> > subnet, where the MAC address contains wrong information, will tell you
>> > which machines are Linux machines in promiscuous mode (the answer from those
>> > machines will be a RST packet)
>> > While this is far from being a perfect method, it can help discover
>> > suspicious activity on a network.
>> >
>>
>> Thx in advans,
>> Karthik Balaguru
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>

Thx in advans,
Karthik Balaguru
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube