Prev: how to inform pppd Session-Timeout value using radius
Next: Network traffic monitor - tip from expert
From: bod43 on 24 Mar 2010 12:35 On 22 Mar, 23:34, Jeff Liebermann <je...(a)cruzio.com> wrote: > On Sat, 20 Mar 2010 23:59:41 -0700 (PDT), Karthik Balaguru > > <karthikbalagur...(a)gmail.com> wrote: > >Agreed, sniffer is totally passive ! On analyzing various > >internet links and also discussions, i understand that > >that unless the sniffer does not take care of things like > >hiding IP address / there is a flaw in the operating system > >similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not > >possible to determine the presence of sniffers performing > >passive sniffing in the network. Lots of good Jeff Stuff (TM) snipped > # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 Maybe the OP would like Token Ring where if I recall correctly the protocol required that MACs in promiscuous mode set the "Monitor Present" bit in the token (or somewhere - can't be bothered to check and it's been a while -- and no one cares). As many people have said there is no way to guarantee detecting a monitor on the network. Of course at one time with fiber it was indeed believed that intrusion was detectable. The idea was this. You constantly monitored all connections for service interruptions. If there was an interruption you sent round the boys in black to check for network taps just in case the interruption was caused by someone inserting a tap. Otherwise the only way of seeing the light was to bend the fiber sharply which caused leakage. Some one I seem to recall came up with something that detected that too. A company I worked at was involved in bidding such a proposal decades ago. We didn't get the job (or maybe just no one told me:) and maybe the whole thing fell through anyway. Of course all this is only affordable for government level or similar security. Then there is quantum cryptography which guarantees that message interception is detectable by principle.
From: Stefan Monnier on 24 Mar 2010 14:21 > Then there is quantum cryptography which guarantees > that message interception is detectable by principle. Of course, the guarantee only applies to the actual quantum part of the link. Not to either classical end-point. Stefan
From: Aaron Leonard on 25 Mar 2010 19:49 ~ > > But, i wonder what is the advantage/use of running ~ > > wireshark on an interface that hasn't got any IP address. ~ > > In what kind of scnearios we might need to run wireshark ~ > > on an interface without IP address ? Any thoughts ? ~ > ~ > How about running whireshark while hiding from people ~ > who are trying to find people running Wireshark? ~ > ~ ~ :-) :-) ~ I had that in mind ! ~ But, Is it only for that reason ? Are there no other scenarios ? When I'm getting a promiscuous capture, I want to obtain as accurate a capture from the channel as is possible (/convenient). Having my sniffer's IP stack enabled is not helpful in this regard. In fact, since some operating systems will babble incessantly on any interface with an IP address, it is downright harmful to accurate capture. For example, if I'm trying to measure the 802.11n performance between one our our APs an a client device, it doesn't do me any good for my sniffer to be spamming the channel with some NBNS nonsense at the same time. I.e. this is just basic test engineering 101: if you're going to perform an observation, you want the process of observation to be non intrusive as it can be. Aaron
From: Jeff Liebermann on 26 Mar 2010 03:24 On Wed, 24 Mar 2010 09:35:39 -0700 (PDT), bod43 <Bod43(a)hotmail.co.uk> wrote: >You constantly monitored all connections for service >interruptions. If there was an interruption you sent round >the boys in black to check for network taps just in case >the interruption was caused by someone inserting a tap. Yeah, sure. If there were only one interruption caused by a tap insertion, that would probably be cause for an investigation. When you have a few dozen minor interruptions daily, it's difficult to get inspired to investigate one more. More likely, the fault will magically heal itself, and the operator or log skimmer will assume it's a transient error. If 10G, GFEC (Generic forward error correction) might mask any errors. Many of the fibers worth taping are miles and miles long. One big long dark fiber. How about this run from Santa Cruz to Sunnyvale in one piece? About 99% of the light never makes it to the other end, but that's good enough for DWDM (dense wave division mux). A little additional loss, and probably nobody would notice. On the other foot, picking up leakage from a bent single mode fiber is not my idea of fun. I could probably build a suitable pickup, but trying to get all the different colors separated would be a mess. Besides, the DWDM sniffer box would probably cost $10,000 and up. Even so, sniffing fiber is like drinking from a fire hose. The horsepower required to decode and capture everything is well beyond that of a common PC. >Of course all this is only affordable for government level >or similar security. If you throw an infinite amount of (public) money at a problem, anything is solvable (except maybe federal health care). >Then there is quantum cryptography which guarantees >that message interception is detectable by principle. Yep. That's the major benefit. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Shadow on 29 Mar 2010 17:25
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru <karthikbalaguru79(a)gmail.com> wrote: >Hi, >How to determine the presence of wireshark in a network ? >Are there any specific packet types exchanged while it >is present in the network so that it can be used to determine >its presence in the network . Any tool to identify its presence >in either Windows or Linux ? Any ideas ? > >Thx in advans, >Karthik Balaguru Wireshark has DNS resolving on by default (or it used to, as far as I can remember). If the sniffer is an amateur, and leaves it on, you can try to ping an imaginary address. The sniffer's wireshark will pick up the address and try to resolve it. So just filter with "dns and "pinged IP"") and you can see which computer wireshark is on. Duh. []'s Kismet and aircrack of course are MUCH less detectable than wireshark.......they are totally non intrusive. |