sniffer/promisc detector

Sam Stickland sam_ml at spacething.org
Sat Jan 17 15:53:42 UTC 2004



----- Original Message -----
From: "Laurence F. Sheldon, Jr." <larrysheldon at cox.net>
To: <nanog at merit.edu>
Sent: Friday, January 16, 2004 10:49 PM
Subject: Re: sniffer/promisc detector


>
> Gerald wrote:
> >
> > Subject says it all. Someone asked the other day here for sniffers. Any
> > progress or suggestions for programs that detect cards in promisc mode
or
> > sniffing traffic?
>
> I can't even imagine how one might do that.  Traditionally the only
> way to know that you have a mole is to encounter secrets that "had to"
> have been stolen.

In an all switched network, sniffing can normally only be accomplished with
MAC address spoofing (Man In The Middle). Watching for MAC address changes
(from every machines perspective), along with scanning for seperate machines
with the same ARP address, and using switches that can detect when a MAC
address moves between ports will go a long way towards detecting sniffing.

It can also be worthwhile setting up a machine on a switch to detect
non-broadcast traffic that isn't for it - sometimes older switches get
'leaky' when they shouldn't be used.

I'm not sure if it's still the case, but it used to be the case that when
Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its
IP address even if the MAC address on that packet is wrong. Sending TCP/IP
packets to all the IP addresses on the subnet, where the MAC address
contains wrong information, will tell you which machines are Linux machines
in promiscuous mode (the answer from those machines will be a RST packet).

Some tools that google turned up (haven't tried them myself):

http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html

http://www.packetstormsecurity.org/sniffers/antisniff/

Apparently Man In The Middle attacks can also be detected by measuring the
latency under different traffic loads, but I haven't looked to much into
that.

Sam





More information about the NANOG mailing list