Wireshark-users: Re: [Wireshark-users] Wireshark in Network - Windows/Linux

From: Karthik Balaguru <karthikbalaguru79@xxxxxxxxx>
Date: Sun, 21 Mar 2010 14:58:06 +0530
On Sat, Mar 20, 2010 at 3:44 PM, bart sikkes <b.sikkes@xxxxxxxxx> wrote:
> Hello Karthik ,
> I have been following your answers and remarks for some time now and
> wonder what your goal / reason behind this search for sniffer
> detection is? the whole nature of sniffing, it being a passive action,
> means that it is in principle not possible to detect remotely (some
> exceptions as mentioned, but those don't detect sniffers but detect a
> certain network card setting and can also be fooled.)
> for the rest i agree with ronnie, it seems you don't want people to
> snif in your network. well in my opinion you wont be able to stop them
> if you cant restrict total physical access to your network or use
> something like NAC. still due to the nature of switches they wont be
> able to pick up much useful information (again exceptions are
> possible). if you worry so much about someone sniffing on your network
> you should ask yourself what they shouldn't be able to see and for
> example encrypt that traffic.
> oh and linux kernel 2.2.10 is like 10 years old, i doubt you will
> encounter it often any more.

Okay, sniffer is totally passive !
On analyzing various internet links and also based on
various discussions, i understand that that unless the
sniffer does not take care of things like hiding IP address /
there is a flaw in the operating system similar to that of
TCP/IP in pre-2.2.10 linux kernel, it is not possible to
determine the presence of sniffers performing passive
sniffing in the network. The option of using IPSec for
all intranet traffic appears to be the main solution
against passive sniffing.

But, Are there no tricks based on OS in which the sniffer
is running ? Though some OS can restrict that only admins
can install certain type of sniffers, i think that is not enough.
I wonder, why don't the various OS(Linux/Windows) support
the detection of Sniffers so that if a user is running it in the
network, the OS might intimate it to the admins ? Just eager
to know, is it not possible for the OS to detect a sniffer running
on it and intimate it ? I think, the various OS(TCP/IP) in network
should be configurable such that if there is a sniffer running
on it, it would be able to intimate to a set of users(admin) in
the network. Are there any such tools already available ?
Any thoughts ?

Thx in advans,
Karthik Balaguru