Determining the presence of wireshark
in [Linux Networking]
|
Prev: how to inform pppd Session-Timeout value using radius
Next: Network traffic monitor - tip from expert
From: PaulusJrLz on 20 Mar 2010 02:49 On Mar 9, 11:27 pm, Karthik Balaguru <karthikbalagur...(a)gmail.com> wrote: > Hi, > How to determine the presence of wireshark in a network ? > Are there any specific packet types exchanged while it > is present in the network so that it can be used to determine > its presence in the network . Any tool to identify its presence > in either Windows or Linux ? Any ideas ? > > Thx in advans, > Karthik Balaguru One indicator of sniffer activity is a lot of DNS requests from the sniffer. This detection is not always effective, since sniffer's DNS resolution can be turned off. Junior Lazuardi
From: Karthik Balaguru on 20 Mar 2010 04:46 On Mar 17, 2:09 am, Stephen <stephen_h...(a)xyzworld.com> wrote: > On Tue, 16 Mar 2010 09:39:30 -0700 (PDT), Karthik Balaguru > > > > > > <karthikbalagur...(a)gmail.com> wrote: > >On Mar 15, 12:13 am, Stephen <stephen_h...(a)xyzworld.com> wrote: > >> On Sun, 14 Mar 2010 07:12:44 -0700 (PDT), Karthik Balaguru > > >> <karthikbalagur...(a)gmail.com> wrote: > >> >On Mar 10, 1:45 am, DanS <t.h.i.s.n.t.h....(a)r.o.a.d.r.u.n.n.e.r.c.o..m> > >> >wrote: > >> >> Rick Jones <rick.jon...(a)hp.com> wrote in news:hn66ht$h7r$2 > >> >> @usenet01.boi.hp.com: > > >> >> > In comp.os.linux.networking Bob <b...(a)invalid.invalid> wrote: > >> >> >> Have you tried SNAT? I noticed it on YouTube last week. > >> >> >> <http://www.snat-project.com/documentation.html> > > >> >> > I'm not sure how robust this: > > >> >> > This action is the one I really like. With the help of it you can > >> >> > check if a host on your network is running a sniffer (well, > > >> >> <SNIP> > > >> >> > host I want to check is 192.168.1.8 As usual go to the directory > >> >> > where you have snat.jar and execute the command (if you have any > >> >> > problems go here) : > > >> >> > will be. First, I suppose that 99 times out of 10 a host responding > >> >> > to that MAC address will be in promiscuous mode, but since the group > >> >> > bit is set... And I would think all it takes is a small change to the > >> >> > ARP code to verify that the destination MAC was a full broadcast.... > > >> >> Is this supposedly for Windows, Linux, OSX, BSD, etc ? > > >> >> I'm sure it's OS specific. For instance, a Windows box will not reply to a > >> >> broadcast ping, but a Linux box will. > > >> >But why Windows box does not reply to the broadcast ping :-( whereas > >> >the Linux box replies to the broadcast ping ? That is, > >> >any specific reasons for not being supported in Windows and for > >> >being supported in Linux ? > > >> i seem to remember using broadcast ping to populate ARP tables on a > >> router to hunt used IP addresses, so i am not sure this is right. > > >> i think that it may be more about the sender, not the reciever. > > >> if i ping the local LAN s/net on my w2000 PC - no response and nothing > >> changes in the arp table (arp -a) > > >> do the same on a win7 PC and i get a response, and the arp table gets > >> some added entries - some of the entries are w2k and xp boxes..... > > >> the win7 box has static ARP entries installed for the IP local > >> broadcast address and network broadcast (this seems to be part of the > >> default interface settings). > >> Adding the same statics on the w2k box doesnt change anything. > > >> i cannot run up wireshark to check any further right now - but it sure > >> looks like the apparent lack of response to broadcast ping might be at > >> the Windows sender, not the responder. > > >On similar lines, i came across an info that states that due to > >a weakness in Linux TCP/IP implementation , it will answer to > >TCP/IP packets sent to its IP address even if the MAC address > >on that packet is wrong while in promiscuous mode. > >But, it seems that the standard behavior is that it will not be > >answered because the network interface will drop them as it > >is containing wrong MAC address . > > >I am eager to know Why is the linux implementation different > >from that of the standard implementation ? Is it good or bad ? > > it probably comes down to implementation issues. > > FWIW responding to broadcasts is like many things - useful but can be > dangerous to network stability in some setups. > > there are standards that covers a lot of this stuff..... > > RFC 1122 is for host requirements - section 3.2 says a fair bit about > handling broadcasts. > It seems that the flaw in Linux TCP/IP stack has been fixed in kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. So, there is a tough job to detect the presence of in network if the sniffer is running on Linux Kernel 2.2.10. Karthik Balaguru
From: Karthik Balaguru on 20 Mar 2010 04:59 On Mar 20, 11:49 am, PaulusJrLz <paulusj...(a)gmail.com> wrote: > On Mar 9, 11:27 pm, Karthik Balaguru <karthikbalagur...(a)gmail.com> > wrote: > > > Hi, > > How to determine the presence of wireshark in a network ? > > Are there any specific packet types exchanged while it > > is present in the network so that it can be used to determine > > its presence in the network . Any tool to identify its presence > > in either Windows or Linux ? Any ideas ? > > > Thx in advans, > > Karthik Balaguru > > One indicator of sniffer activity is a lot of DNS requests from the > sniffer. > This detection is not always effective, since sniffer's DNS resolution > can be turned off. > I think that is how antisniff has been played down by some snifferes. I have been searching for these tools that help in finding the remote systems in promiscuous mode in a network. I did come across other tools that help in detection of a system in promiscuous mode such as the following- 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? 2. neped.c http://www.artofhacking.com/tucops/hack/unix/live/aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 3. promisc.c http://seclists.org/nmap-hackers/1999/att-271/promisc_c.bin Determines the machine on which it is run is in promisc mode. This is similar to "ifconfig -a|grep PROMISC" :-) But,this does not help remote machine(sniffer) detection :-( 4. ifstatus ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/ifstatus-4.0.tar.gz Checks and reports the network interfaces on the system reports any that are in debug or promiscuous mode - Not suitable for remote sniffer detection :-( 5. Antisniff So antisniff appears that it be tricked out if kernel 2.2.10 is used or if DNS lookup test is avoided or if the sniffing is not done above an average network traffic limit. And it seems there is an equally interesting 'Anti-Antisniff Sniffer' to play down the antisniff utility :-( But, I am not sure if Sentinel helps in detection of remote promiscous mode(Sniffer) even in the case of linux kernel 2.2.10 ! ? Thx in advans, Karthik Balaguru
From: Stephane CHAZELAS on 20 Mar 2010 06:28 2010-03-20, 01:59(-07), Karthik Balaguru: [...] > 1. Sentinel > Supports 3 methods of remote promiscuous > detection: The DNS test,Etherping test,ARP test. > -a arp test, -d dns test,-e icmp etherping test. > Need to check it out. Has anyone tried this > out ? All those methods assume the interface is configured with an IP address, or that the system supports IP. There's no need for implementing an IP stack to sniff ethernet packets. One can use wireshark on an interface that hasn't got any IP address configured or that has a firewall rule that prevents it from emmiting any packet. sudo iptables -I OUTPUT --out-interface eth0 -j DROP And that interface will not be detected. Probably same with sudo ip addr flush dev eth0 > 2. neped.c > http://www.artofhacking.com/tucops/hack/unix/live/aoh_neped.htm > Network Promiscuous Ethernet Detector w.r.t Linux- > Specifically designed to detect the sniffers that > use the flaw in Linux TCP/IP Stack !!. I think this > will not be useful for the kernels in which the > flaw has been fixed such as kernel 2.2.10 as they > drop the incoming packets that are not destined > for this ethernet address. 2.2.9 was released in May 1999. I don't expect there be a lot of pre-2.2.10 Linux boxes around nowadays. -- Stéphane
From: Karthik Balaguru on 20 Mar 2010 21:42
On Mar 20, 3:28 pm, Stephane CHAZELAS <stephane_chaze...(a)yahoo.fr> wrote: > 2010-03-20, 01:59(-07), Karthik Balaguru: > [...] > > > 1. Sentinel > > Supports 3 methods of remote promiscuous > > detection: The DNS test,Etherping test,ARP test. > > -a arp test, -d dns test,-e icmp etherping test. > > Need to check it out. Has anyone tried this > > out ? > > All those methods assume the interface is configured with an IP > address, or that the system supports IP. Okay . Yeah, I analyzed it and it appears just like as you conveyed - Passive Sniffers in promiscuous modes(Remote) can be detected only if they are on an interface with a configured IP address ! > There's no need for > implementing an IP stack to sniff ethernet packets. One can use > wireshark on an interface that hasn't got any IP address > configured or that has a firewall rule that prevents it from > emmiting any packet. > > sudo iptables -I OUTPUT --out-interface eth0 -j DROP > > And that interface will not be detected. > :-( Interesting to know that wireshark or other sniffers can be used on an interface that hasn't got any IP address configured. But, i wonder what is the advantage/use of running wireshark on an interface that hasn't got any IP address. In what kind of scnearios we might need to run wireshark on an interface without IP address ? Any thoughts ? > Probably same with > > sudo ip addr flush dev eth0 > :-( It appears that there is NO method to detect passive sniffing unless the sniffer does not take care of things like hiding IP address / using a proper flawless OS. > > 2. neped.c > >http://www.artofhacking.com/tucops/hack/unix/live/aoh_neped.htm > > Network Promiscuous Ethernet Detector w.r.t Linux- > > Specifically designed to detect the sniffers that > > use the flaw in Linux TCP/IP Stack !!. I think this > > will not be useful for the kernels in which the > > flaw has been fixed such as kernel 2.2.10 as they > > drop the incoming packets that are not destined > > for this ethernet address. > > 2.2.9 was released in May 1999. I don't expect there be a lot of > pre-2.2.10 Linux boxes around nowadays. > True that there might not be much systems that use pre-2.2.10 unless upgraded. So, it is difficult to determine the presence of sniffer in networks in such a case. So, in brief - NO METHOD to detect Passive Sniffing :-( That is, It seems that unless there is a flaw in the operating system similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not possible to determine the presence of sniffers performing passive sniffing in the network. Karthik Balaguru |