Determining the presence of wireshark
in [Linux Networking]
|
Prev: how to inform pppd Session-Timeout value using radius
Next: Network traffic monitor - tip from expert
From: Hal Murray on 21 Mar 2010 02:14 > But, i wonder what is the advantage/use of running > wireshark on an interface that hasn't got any IP address. > In what kind of scnearios we might need to run wireshark > on an interface without IP address ? Any thoughts ? How about running whireshark while hiding from people who are trying to find people running Wireshark? -- These are my opinions, not necessarily my employer's. I hate spam.
From: Karthik Balaguru on 21 Mar 2010 02:35 On Mar 21, 11:14 am, hal-use...(a)ip-64-139-1-69.sjc.megapath.net (Hal Murray) wrote: > > But, i wonder what is the advantage/use of running > > wireshark on an interface that hasn't got any IP address. > > In what kind of scnearios we might need to run wireshark > > on an interface without IP address ? Any thoughts ? > > How about running whireshark while hiding from people > who are trying to find people running Wireshark? > :-) :-) I had that in mind ! But, Is it only for that reason ? Are there no other scenarios ? Thx in advans, Karthik Balaguru
From: Karthik Balaguru on 21 Mar 2010 02:59 On Mar 9, 10:40 pm, Jeff Liebermann <je...(a)cruzio.com> wrote: > On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru > > <karthikbalagur...(a)gmail.com> wrote: > >How to determine the presence of wireshark in a network ? > > Look for NIC cards and wireless devices running in promiscuous mode. > > >Are there any specific packet types exchanged while it > >is present in the network so that it can be used to determine > >its presence in the network . > > No. A sniffer is totally passive. > Agreed, sniffer is totally passive ! On analyzing various internet links and also discussions, i understand that that unless the sniffer does not take care of things like hiding IP address / there is a flaw in the operating system similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not possible to determine the presence of sniffers performing passive sniffing in the network. The option of using IPSec for all intranet traffic appears to be the main solution against passive sniffing. Though some OS can restrict that only admins can install certain type of sniffers, i think that is not enough as sometimes it can be via admin too. I wonder, why don't the various OS support the detection of Sniffers so that if a user is running it in the network, the OS might intimate it to the admins ? Just eager to know , is it not possible for the OS to detect a sniffer running on it and intimate it ? I think, the various OS(TCP/IP) in network should be configurable such that if there is a sniffer running on it, it would be able to intimate to a set of users(admin) in the network. The OS here can be either Linux / Windows. Are there any such tools already available ? > >Any tool to identify its presence > >in either Windows or Linux ? Any ideas ? > > AntiSniff: > <http://www.nmrc.org/pub/review/antisniff-b2.html> > You may have trouble finding this one. > > PromqryUI in DOS and Windowfied versions: > <http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83b....> > <http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa....> > Only works for detecting sniffers running on a Windoze system. I > haven't been able to detect DOS, Linux, or Mac sniffers with these > tools. > > I've also noticed that most casual users of sniffers running on > laptops like to boot their operating system before firing up their > sniffers. The laptop will usually belch a few DHCP broadcasts and ARP > requests before disappearing into promiscuous mode. These initial > packets can be detected with ArpWatch: > <http://24h.atspace.com/it/security/arpwatch.htm> > > The problem is not identifying the presence of the sniffer, it's > identifying which machine is actually doing the sniffing. The MAC > address is a clue, but given the ease of MAC address spoofing, that > information is often useless. Even if I delivered the MAC address on > a silver platter, identifying which one of the potentially hundreds of > similar computers in the room or building might be difficult. > > -- Thx in advans, Karthik Balaguru
From: Lew Pitcher on 21 Mar 2010 03:46 Warning: Lew Pitcher, who posts to this newsgroup, is a domain thief. Read the full story at http://www.lewpitcher.ca
From: pk on 21 Mar 2010 06:45
Karthik Balaguru wrote: > But, i wonder what is the advantage/use of running > wireshark on an interface that hasn't got any IP address. > In what kind of scnearios we might need to run wireshark > on an interface without IP address ? Any thoughts ? If wireshark is receiving traffic from a mirrored switch port on a separate dedicated link. You don't need any IP address on that interface. |