From: bod43 on
On 22 Mar, 23:34, Jeff Liebermann <je...(a)cruzio.com> wrote:
> On Sat, 20 Mar 2010 23:59:41 -0700 (PDT), Karthik Balaguru
>
> <karthikbalagur...(a)gmail.com> wrote:
> >Agreed, sniffer is totally passive ! On analyzing various
> >internet links and also discussions, i understand that
> >that unless the sniffer does not take care of things like
> >hiding IP address / there is a flaw in the operating system
> >similar to that of TCP/IP in pre-2.2.10 linux kernel, it is not
> >possible to determine the presence of sniffers performing
> >passive sniffing in the network.

Lots of good Jeff Stuff (TM) snipped

> # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060

Maybe the OP would like Token Ring where if I
recall correctly the protocol required that MACs in
promiscuous mode set the "Monitor Present"
bit in the token (or somewhere - can't be bothered to
check and it's been a while -- and no one cares).

As many people have said there is no way to
guarantee detecting a monitor on the network.

Of course at one time with fiber it was indeed believed
that intrusion was detectable.

The idea was this.

You constantly monitored all connections for service
interruptions. If there was an interruption you sent round
the boys in black to check for network taps just in case
the interruption was caused by someone inserting a tap.

Otherwise the only way of seeing the light was to bend the
fiber sharply which caused leakage. Some one I seem
to recall came up with something that detected that too.
A company I worked at was involved in bidding
such a proposal decades ago. We didn't get the job
(or maybe just no one told me:) and maybe the whole
thing fell through anyway.

Of course all this is only affordable for government level
or similar security.

Then there is quantum cryptography which guarantees
that message interception is detectable by principle.

From: Stefan Monnier on
> Then there is quantum cryptography which guarantees
> that message interception is detectable by principle.

Of course, the guarantee only applies to the actual quantum part of
the link. Not to either classical end-point.


Stefan
From: Aaron Leonard on

~ > > But, i wonder what is the advantage/use of running
~ > > wireshark on an interface that hasn't got any IP address.
~ > > In what kind of scnearios we might need to run wireshark
~ > > on an interface without IP address ? Any thoughts ?
~ >
~ > How about running whireshark while hiding from people
~ > who are trying to find people running Wireshark?
~ >
~
~ :-) :-)
~ I had that in mind !
~ But, Is it only for that reason ? Are there no other scenarios ?

When I'm getting a promiscuous capture, I want to obtain as accurate
a capture from the channel as is possible (/convenient). Having
my sniffer's IP stack enabled is not helpful in this regard. In
fact, since some operating systems will babble incessantly on any
interface with an IP address, it is downright harmful to accurate
capture.

For example, if I'm trying to measure the 802.11n performance
between one our our APs an a client device, it doesn't do me
any good for my sniffer to be spamming the channel with some
NBNS nonsense at the same time.

I.e. this is just basic test engineering 101: if you're going to
perform an observation, you want the process of observation to be
non intrusive as it can be.

Aaron
From: Jeff Liebermann on
On Wed, 24 Mar 2010 09:35:39 -0700 (PDT), bod43 <Bod43(a)hotmail.co.uk>
wrote:

>You constantly monitored all connections for service
>interruptions. If there was an interruption you sent round
>the boys in black to check for network taps just in case
>the interruption was caused by someone inserting a tap.

Yeah, sure. If there were only one interruption caused by a tap
insertion, that would probably be cause for an investigation. When
you have a few dozen minor interruptions daily, it's difficult to get
inspired to investigate one more. More likely, the fault will
magically heal itself, and the operator or log skimmer will assume
it's a transient error. If 10G, GFEC (Generic forward error
correction) might mask any errors.

Many of the fibers worth taping are miles and miles long. One big
long dark fiber. How about this run from Santa Cruz to Sunnyvale in
one piece? About 99% of the light never makes it to the other end,
but that's good enough for DWDM (dense wave division mux). A little
additional loss, and probably nobody would notice.

On the other foot, picking up leakage from a bent single mode fiber is
not my idea of fun. I could probably build a suitable pickup, but
trying to get all the different colors separated would be a mess.
Besides, the DWDM sniffer box would probably cost $10,000 and up. Even
so, sniffing fiber is like drinking from a fire hose. The horsepower
required to decode and capture everything is well beyond that of a
common PC.

>Of course all this is only affordable for government level
>or similar security.

If you throw an infinite amount of (public) money at a problem,
anything is solvable (except maybe federal health care).

>Then there is quantum cryptography which guarantees
>that message interception is detectable by principle.

Yep. That's the major benefit.
--
Jeff Liebermann jeffl(a)cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
From: Shadow on
On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru
<karthikbalaguru79(a)gmail.com> wrote:

>Hi,
>How to determine the presence of wireshark in a network ?
>Are there any specific packet types exchanged while it
>is present in the network so that it can be used to determine
>its presence in the network . Any tool to identify its presence
>in either Windows or Linux ? Any ideas ?
>
>Thx in advans,
>Karthik Balaguru
Wireshark has DNS resolving on by default (or it used to, as
far as I can remember). If the sniffer is an amateur, and leaves it
on, you can try to ping an imaginary address. The sniffer's wireshark
will pick up the address and try to resolve it. So just filter with
"dns and "pinged IP"") and you can see which computer wireshark is on.
Duh.
[]'s
Kismet and aircrack of course are MUCH less detectable than
wireshark.......they are totally non intrusive.