As far as finding machines running Wireshark there are actually a few
techniques. If you Google for "detect promiscuous mode" and follow
through on some of the research. One mechanism was using a "feature"
of the Linux IP stack where a Linux host in promiscuous mode would
respond to IP packet even it was sent to a MAC address it didn't own.
There were other techniques involving ARP.
Also Wireshark boxes are sometimes configured to try and resolve IP
addresses into names (reverse lookups). Thus you can "trick" Wireshark
to try and do a reverse lookup on an IP address you choose by simply
sending a packet past the interface it is sniffing. If you see that IP
address in the site DNS server logs as a reverse query, then you will
have potentially found a lurking Wireshark box.
Ultimately if you suspect people are using sniffers for nefarious
purposes on your network, you probably need to think a lot about
physical security of your cable risers and communications closets. You
also want to have managed switches and routers where have a control
over
Regards, Martin
MartinVisser99@xxxxxxxxx
