sniffer/promisc detector

Chris Brenton cbrenton at chrisbrenton.org
Sat Jan 17 02:29:18 UTC 2004


On Fri, 2004-01-16 at 18:00, Gerald wrote:
>
> I should probably mention that I've already started looking at antisniff.
> I was hoping to find something that was currently maintained and still
> free while I investigate antisniff's capabilities.

Antisniff is still the best software based tool for the job. It has far
more extensive testing that anything else I've looked at. 

Of course the one blind spot with antisniff is that it can only detect
sniffers that have an IP address assigned to them. To detect these you
have to look at your switch statistics. Dead giveaway is a host
receiving traffic, but never transmitting. There is a false positive for
this condition however which is a hub plugged in the switch with no
hosts attached.

HTH,
C





More information about the NANOG mailing list