Determining the presence of wireshark
in [Linux Networking]
|
Prev: how to inform pppd Session-Timeout value using radius
Next: Network traffic monitor - tip from expert
From: Karthik Balaguru on 9 Mar 2010 11:27 Hi, How to determine the presence of wireshark in a network ? Are there any specific packet types exchanged while it is present in the network so that it can be used to determine its presence in the network . Any tool to identify its presence in either Windows or Linux ? Any ideas ? Thx in advans, Karthik Balaguru
From: Jeff Liebermann on 9 Mar 2010 12:40 On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru <karthikbalaguru79(a)gmail.com> wrote: >How to determine the presence of wireshark in a network ? Look for NIC cards and wireless devices running in promiscuous mode. >Are there any specific packet types exchanged while it >is present in the network so that it can be used to determine >its presence in the network . No. A sniffer is totally passive. >Any tool to identify its presence >in either Windows or Linux ? Any ideas ? AntiSniff: <http://www.nmrc.org/pub/review/antisniff-b2.html> You may have trouble finding this one. PromqryUI in DOS and Windowfied versions: <http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en> <http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en> Only works for detecting sniffers running on a Windoze system. I haven't been able to detect DOS, Linux, or Mac sniffers with these tools. I've also noticed that most casual users of sniffers running on laptops like to boot their operating system before firing up their sniffers. The laptop will usually belch a few DHCP broadcasts and ARP requests before disappearing into promiscuous mode. These initial packets can be detected with ArpWatch: <http://24h.atspace.com/it/security/arpwatch.htm> The problem is not identifying the presence of the sniffer, it's identifying which machine is actually doing the sniffing. The MAC address is a clue, but given the ease of MAC address spoofing, that information is often useless. Even if I delivered the MAC address on a silver platter, identifying which one of the potentially hundreds of similar computers in the room or building might be difficult. -- Jeff Liebermann jeffl(a)cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
From: Bob on 9 Mar 2010 13:06 On 09/03/2010 17:40, Jeff Liebermann wrote: > > PromqryUI in DOS and Windowfied versions: > <http://www.microsoft.com/downloads/details.aspx?FamilyID=4df8eb90-83be-45aa-bb7d-1327d06fe6f5&DisplayLang=en> > <http://www.microsoft.com/downloads/details.aspx?FamilyID=1a10d27a-4aa5-4e96-9645-aa121053e083&DisplayLang=en> > Only works for detecting sniffers running on a Windoze system. I > haven't been able to detect DOS, Linux, or Mac sniffers with these > tools. Have you tried SNAT? I noticed it on YouTube last week. <http://www.snat-project.com/documentation.html>
From: Lew Pitcher on 9 Mar 2010 14:43 On March 9, 2010 12:40, in comp.os.linux.networking, jeffl(a)cruzio.com wrote: > On Tue, 9 Mar 2010 08:27:21 -0800 (PST), Karthik Balaguru > <karthikbalaguru79(a)gmail.com> wrote: > >>How to determine the presence of wireshark in a network ? > > Look for NIC cards and wireless devices running in promiscuous mode. Note that this will present false positives if the NICs in question are running with "user set" MAC addresses. With "user set" MAC addresses, the NIC cannot use it's builtin comparison logic to find frames addressed to the NIC. The OS NIC driver logic has to match the MAC address on /all/ "on the wire" packets to the "user set" MAC address, and extract those that match. This requires that the NIC run in promiscuous mode, to permit the driver access to all the network traffic. -- Lew Pitcher Master Codewright & JOAT-in-training | Registered Linux User #112576 Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/ ---------- Slackware - Because I know what I'm doing. ------
From: DanS on 9 Mar 2010 15:45
Rick Jones <rick.jones2(a)hp.com> wrote in news:hn66ht$h7r$2 @usenet01.boi.hp.com: > In comp.os.linux.networking Bob <bob(a)invalid.invalid> wrote: >> Have you tried SNAT? I noticed it on YouTube last week. >> <http://www.snat-project.com/documentation.html> > > I'm not sure how robust this: > > This action is the one I really like. With the help of it you can > check if a host on your network is running a sniffer (well, <SNIP> > host I want to check is 192.168.1.8 As usual go to the directory > where you have snat.jar and execute the command (if you have any > problems go here) : > > will be. First, I suppose that 99 times out of 10 a host responding > to that MAC address will be in promiscuous mode, but since the group > bit is set... And I would think all it takes is a small change to the > ARP code to verify that the destination MAC was a full broadcast... Is this supposedly for Windows, Linux, OSX, BSD, etc ? I'm sure it's OS specific. For instance, a Windows box will not reply to a broadcast ping, but a Linux box will. |