It is also possible to sniff a network using only the RX pair so most of
the tools to detect cards in P mode will fail.  The new Cisco 6548's have
TDR functionality so you could detect unauthorized connections by their
physical characteristics.

But there are also tools like ettercap which exploit weaknesses within
switched networks.  See http://ettercap.sourceforge.net/ for more details
(and gain some add'l grey hairs in the process).

The question here is what are you trying to defend against?.


                            Scott C. McGrath

On Sat, 17 Jan 2004, Sam Stickland wrote:

>
>
> ----- Original Message -----
> From: "Laurence F. Sheldon, Jr." <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, January 16, 2004 10:49 PM
> Subject: Re: sniffer/promisc detector
>
>
> >
> > Gerald wrote:
> > >
> > > Subject says it all. Someone asked the other day here for sniffers. Any
> > > progress or suggestions for programs that detect cards in promisc mode
> or
> > > sniffing traffic?
> >
> > I can't even imagine how one might do that.  Traditionally the only
> > way to know that you have a mole is to encounter secrets that "had to"
> > have been stolen.
>
> In an all switched network, sniffing can normally only be accomplished with
> MAC address spoofing (Man In The Middle). Watching for MAC address changes
> (from every machines perspective), along with scanning for seperate machines
> with the same ARP address, and using switches that can detect when a MAC
> address moves between ports will go a long way towards detecting sniffing.
>
> It can also be worthwhile setting up a machine on a switch to detect
> non-broadcast traffic that isn't for it - sometimes older switches get
> 'leaky' when they shouldn't be used.
>
> I'm not sure if it's still the case, but it used to be the case that when
> Linux is in promiscuous mode, it will answer to TCP/IP packets sent to its
> IP address even if the MAC address on that packet is wrong. Sending TCP/IP
> packets to all the IP addresses on the subnet, where the MAC address
> contains wrong information, will tell you which machines are Linux machines
> in promiscuous mode (the answer from those machines will be a RST packet).
>
> Some tools that google turned up (haven't tried them myself):
>
> http://www.securityfriday.com/ToolDownload/PromiScan/promiscan_doc.html
>
> http://www.packetstormsecurity.org/sniffers/antisniff/
>
> Apparently Man In The Middle attacks can also be detected by measuring the
> latency under different traffic loads, but I haven't looked to much into
> that.
>
> Sam
>
>

Reply via email to