sniffer/promisc detector

Deepak Jain deepak at ai.net
Sat Jan 17 19:57:19 UTC 2004


>>It is also possible to sniff a network using only the RX pair so most of
>>the tools to detect cards in P mode will fail.  The new Cisco 6548's have
>>TDR functionality so you could detect unauthorized connections by their
>>physical characteristics.
>>
>>But there are also tools like ettercap which exploit weaknesses within
>>switched networks.  See http://ettercap.sourceforge.net/ for more details
>>(and gain some add'l grey hairs in the process).
>>
>>The question here is what are you trying to defend against?.
> 
> Maybe this is just a stupid comment, but if the original poster is that 
> concerned with their LAN being sniffed, then maybe they should consider using 
> IPSec on their LAN.
> 

I read the ettercap service description, and still don't see how a rogue 
machine gets around this:

Switched network of multiple switches, servers on each port have a 
hardcoded MAC on the switch port. (Ports will not work if the MAC is 
different than the one described). This prevents MAC flood and MAC 
poisoning. If you use VLAN to your router and give each server a /30 or 
/29 that you route its IPs down towards it, your router will only talk 
to each server in the IP block that has been described by the subnet mask.

I know most people don't take the time to hard code their MACs onto 
their switch ports, but it really only takes a few seconds per switch 
with a little cutting & pasting -- as customer switches a network port, 
they just need to open a ticket to have the address changed.

Am I missing something?

Thanks,

DJ




More information about the NANOG mailing list