Some sniffer programs do DNS lookup on the captured IPs. If you do some arbitery connection to an IP and see DNS lookups for the same IP you connect to from some other hosts moments later you can deduce sniffing.
On Thu, 19 Dec 2002, Chris Berry wrote: > Date: Thu, 19 Dec 2002 15:36:08 -0800 > From: Chris Berry <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: RE: A Solution for sniffing > > >From: <[EMAIL PROTECTED]> > >For a network card to "Sniff" it must be in promiscuous mode, reading > >all packets coming in and not dumping those not addressed to it. > >Google the web for tools that can find network interface cards in > >promiscuous mode. I can think of only two legit reasons to be in that > >mode: some firewall/IDS's need > >that mode to pull in all packets, and someone sniffing the network with > >permission. Therefore, after you look and find a netcard in promiscuous > >mode, you can check the system files for WHY it is in that mode. > > > >As far as hardware sniffers, Someone else will have to say it with > >authority. I think the technique that finds software driven promiscuous > >netcards works on hardware sniffers, but I may be wrong. > > Ok, I'm a bit confused. As I understand ethernet, all the signals go out on > the wire as changing voltage levels, every card listens to the signals and > internally decides whether or not to drop the frames based on whether or not > they are destined for its MAC address. With a passive listening setup like > this, how could you possibly detect a promiscuous interface? > > Chris Berry > [EMAIL PROTECTED] > Systems Administrator > JM Associates > > "Live dangerously, overclock your servers." > > _________________________________________________________________ > Add photos to your messages with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail >
