Determining the presence of wireshark
in [Wireless Internet]
|
From: alexd on 19 Mar 2010 13:44 On 18/03/10 17:44, Karthik Balaguru wrote: > Thx for the RFC. The RFC 1122 does talk about handling broadcasts. > I found the section 3.3.6 very interesting. But, i wonder why do > implementations vary between windows and linux :( Well if implementations didn't vary, then there'd be no need for standards and committees, would there? -- <http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm(a)ale.cx) 17:43:32 up 43 days, 17:47, 3 users, load average: 0.02, 0.11, 0.14 It is better to have been wasted and then sober than to never have been wasted at all
From: PaulusJrLz on 20 Mar 2010 02:49 On Mar 9, 11:27 pm, Karthik Balaguru <karthikbalagur...(a)gmail.com> wrote: > Hi, > How to determine the presence of wireshark in a network ? > Are there any specific packet types exchanged while it > is present in the network so that it can be used to determine > its presence in the network . Any tool to identify its presence > in either Windows or Linux ? Any ideas ? > > Thx in advans, > Karthik Balaguru One indicator of sniffer activity is a lot of DNS requests from the sniffer. This detection is not always effective, since sniffer's DNS resolution can be turned off. Junior Lazuardi
From: Karthik Balaguru on 20 Mar 2010 04:43 On Mar 19, 10:44 pm, alexd <troffa...(a)hotmail.com> wrote: > On 18/03/10 17:44, Karthik Balaguru wrote: > > > Thx for the RFC. The RFC 1122 does talk about handling broadcasts. > > I found the section 3.3.6 very interesting. But, i wonder why do > > implementations vary between windows and linux :( > > Well if implementations didn't vary, then there'd be no need for > standards and committees, would there? > :-) Karthik Balaguru
From: Karthik Balaguru on 20 Mar 2010 04:46 On Mar 17, 2:09 am, Stephen <stephen_h...(a)xyzworld.com> wrote: > On Tue, 16 Mar 2010 09:39:30 -0700 (PDT), Karthik Balaguru > > > > > > <karthikbalagur...(a)gmail.com> wrote: > >On Mar 15, 12:13 am, Stephen <stephen_h...(a)xyzworld.com> wrote: > >> On Sun, 14 Mar 2010 07:12:44 -0700 (PDT), Karthik Balaguru > > >> <karthikbalagur...(a)gmail.com> wrote: > >> >On Mar 10, 1:45 am, DanS <t.h.i.s.n.t.h....(a)r.o.a.d.r.u.n.n.e.r.c.o..m> > >> >wrote: > >> >> Rick Jones <rick.jon...(a)hp.com> wrote in news:hn66ht$h7r$2 > >> >> @usenet01.boi.hp.com: > > >> >> > In comp.os.linux.networking Bob <b...(a)invalid.invalid> wrote: > >> >> >> Have you tried SNAT? I noticed it on YouTube last week. > >> >> >> <http://www.snat-project.com/documentation.html> > > >> >> > I'm not sure how robust this: > > >> >> > This action is the one I really like. With the help of it you can > >> >> > check if a host on your network is running a sniffer (well, > > >> >> <SNIP> > > >> >> > host I want to check is 192.168.1.8 As usual go to the directory > >> >> > where you have snat.jar and execute the command (if you have any > >> >> > problems go here) : > > >> >> > will be. First, I suppose that 99 times out of 10 a host responding > >> >> > to that MAC address will be in promiscuous mode, but since the group > >> >> > bit is set... And I would think all it takes is a small change to the > >> >> > ARP code to verify that the destination MAC was a full broadcast.... > > >> >> Is this supposedly for Windows, Linux, OSX, BSD, etc ? > > >> >> I'm sure it's OS specific. For instance, a Windows box will not reply to a > >> >> broadcast ping, but a Linux box will. > > >> >But why Windows box does not reply to the broadcast ping :-( whereas > >> >the Linux box replies to the broadcast ping ? That is, > >> >any specific reasons for not being supported in Windows and for > >> >being supported in Linux ? > > >> i seem to remember using broadcast ping to populate ARP tables on a > >> router to hunt used IP addresses, so i am not sure this is right. > > >> i think that it may be more about the sender, not the reciever. > > >> if i ping the local LAN s/net on my w2000 PC - no response and nothing > >> changes in the arp table (arp -a) > > >> do the same on a win7 PC and i get a response, and the arp table gets > >> some added entries - some of the entries are w2k and xp boxes..... > > >> the win7 box has static ARP entries installed for the IP local > >> broadcast address and network broadcast (this seems to be part of the > >> default interface settings). > >> Adding the same statics on the w2k box doesnt change anything. > > >> i cannot run up wireshark to check any further right now - but it sure > >> looks like the apparent lack of response to broadcast ping might be at > >> the Windows sender, not the responder. > > >On similar lines, i came across an info that states that due to > >a weakness in Linux TCP/IP implementation , it will answer to > >TCP/IP packets sent to its IP address even if the MAC address > >on that packet is wrong while in promiscuous mode. > >But, it seems that the standard behavior is that it will not be > >answered because the network interface will drop them as it > >is containing wrong MAC address . > > >I am eager to know Why is the linux implementation different > >from that of the standard implementation ? Is it good or bad ? > > it probably comes down to implementation issues. > > FWIW responding to broadcasts is like many things - useful but can be > dangerous to network stability in some setups. > > there are standards that covers a lot of this stuff..... > > RFC 1122 is for host requirements - section 3.2 says a fair bit about > handling broadcasts. > It seems that the flaw in Linux TCP/IP stack has been fixed in kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. So, there is a tough job to detect the presence of in network if the sniffer is running on Linux Kernel 2.2.10. Karthik Balaguru
From: Karthik Balaguru on 20 Mar 2010 04:59
On Mar 20, 11:49 am, PaulusJrLz <paulusj...(a)gmail.com> wrote: > On Mar 9, 11:27 pm, Karthik Balaguru <karthikbalagur...(a)gmail.com> > wrote: > > > Hi, > > How to determine the presence of wireshark in a network ? > > Are there any specific packet types exchanged while it > > is present in the network so that it can be used to determine > > its presence in the network . Any tool to identify its presence > > in either Windows or Linux ? Any ideas ? > > > Thx in advans, > > Karthik Balaguru > > One indicator of sniffer activity is a lot of DNS requests from the > sniffer. > This detection is not always effective, since sniffer's DNS resolution > can be turned off. > I think that is how antisniff has been played down by some snifferes. I have been searching for these tools that help in finding the remote systems in promiscuous mode in a network. I did come across other tools that help in detection of a system in promiscuous mode such as the following- 1. Sentinel Supports 3 methods of remote promiscuous detection: The DNS test,Etherping test,ARP test. -a arp test, -d dns test,-e icmp etherping test. Need to check it out. Has anyone tried this out ? 2. neped.c http://www.artofhacking.com/tucops/hack/unix/live/aoh_neped.htm Network Promiscuous Ethernet Detector w.r.t Linux- Specifically designed to detect the sniffers that use the flaw in Linux TCP/IP Stack !!. I think this will not be useful for the kernels in which the flaw has been fixed such as kernel 2.2.10 as they drop the incoming packets that are not destined for this ethernet address. 3. promisc.c http://seclists.org/nmap-hackers/1999/att-271/promisc_c.bin Determines the machine on which it is run is in promisc mode. This is similar to "ifconfig -a|grep PROMISC" :-) But,this does not help remote machine(sniffer) detection :-( 4. ifstatus ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/ifstatus-4.0.tar.gz Checks and reports the network interfaces on the system reports any that are in debug or promiscuous mode - Not suitable for remote sniffer detection :-( 5. Antisniff So antisniff appears that it be tricked out if kernel 2.2.10 is used or if DNS lookup test is avoided or if the sniffing is not done above an average network traffic limit. And it seems there is an equally interesting 'Anti-Antisniff Sniffer' to play down the antisniff utility :-( But, I am not sure if Sentinel helps in detection of remote promiscous mode(Sniffer) even in the case of linux kernel 2.2.10 ! ? Thx in advans, Karthik Balaguru |