sniffer/promisc detector

Steven M. Bellovin smb at research.att.com
Sat Jan 17 01:35:16 UTC 2004


In message <40086A95.8D2DB487 at cox.net>, "Laurence F. Sheldon, Jr." writes:
>
>Gerald wrote:
>> 
>> Subject says it all. Someone asked the other day here for sniffers. Any
>> progress or suggestions for programs that detect cards in promisc mode or
>> sniffing traffic?
>
>I can't even imagine how one might do that.  Traditionally the only
>way to know that you have a mole is to encounter secrets that "had to"
>have been stolen.

There are a number of heuristics that *sometimes* work.  For example, 
some platforms (older Linux kernels, I think; not sure about current 
ones; definitely not BSD) will respond if a packet sent to their IP 
address but with a wrong Ethernet address is received.  That will only 
happen if they're in promiscuous mode.  (BSD checks that the packet is 
addressed to the proper MAC address or is broadcast/multicast.)  
Another is to emit a packet with a distinctive IP source address, 
under the assumption that the recipient might look up the host name via 
a boobytrapped DNS server.

In general, though, there's no way to tell.  My general advice is to 
assume that any network is tapped, and to use crypto even locally.  And 
no, switched networks won't protect you from certain kinds of sniffers, 
though you can detect anomalous ARP traffic.

		--Steve Bellovin, http://www.research.att.com/~smb





More information about the NANOG mailing list