Antisniff is a cool tool that exploits certain 'features' inherent in some TCP/IP stack implementations to detect the supposedly passive activity of sniffing. However, do keep in mind that if these features have been corrected or a custom TCP/IP stack is used, you will not be able to detect passive sniffing.
If an attacker is attempting to 'sniff' packets across a switched segment, examining traffic data for suspicious looking ARP redirects will work. Ultimately, your best bet is to simply architect countermeasures. For instance; establish three tiered 'security zones' in your environment (not trusted, semi-'trusted', 'trusted') and implement proper segmentation at the network AND application level, utilize MAC lock-in port features on your switches, ensure trunking ports exist on its own VLAN, etc. ---------------------------------- John Daniele Technical Security & Intelligence Toronto, ON Voice: (416) 605-2041 Email: [EMAIL PROTECTED] http://www.tsintel.com ----------------------------------
