This depends on how the packets are being diverted. The information revealed by traceroute is all relative to layer 3. If the diversion is strictly at layer 2, it won't be visible. If the diversion is done at layer 3 (routing), then traceroute is going to see answers from some devices that "shouldn't" lie on the path from A to B. But if this path goes for 20 hops across the Internet, it gets hard to know what should and should not be on the path. (A path this long is likely to be asymmetric, so unless the diversion is well done, the sniffer will only see one direction of the traffic -- not necessarily the one you've chosen to traceroute. On the other hand, diversion might be mistaken for normal asymmetry....)
David Gillett > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: June 26, 2003 10:08 > To: [EMAIL PROTECTED] > Subject: Re: AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 > Issue 6 18 > > > > To ask a related, equally uninformed question: If packets > are diverted > through a sniffing host, will the sniffer address be enumerated on > traceroutes from either the source or the destination host to its > counterpart, or are there techniques to mask this? Thanks. > > -Scott > > > > > > > Meidinger Christopher > > <christopher.meidinger@ To: > "'David Wallraff'" <[EMAIL PROTECTED]> > badenIT.de> cc: > "[EMAIL PROTECTED] Com (E-Mail)" > > <[EMAIL PROTECTED]> > > 06/26/2003 05:09 AM Subject: > AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 > 18 > > > > > > > ...NOW, you ask yourself how can i sniff on a switched > network if all i get > is > stuff for me? > > The answer is, you have to lie to the other machines telling > them that you > are either their gateway, or that you are the machines that > they want to > talk to. The technical details are out of the scope of this > paper, but you > essentially get messages destined for other IP addresses > delivered to your > MAC address and then send them yourself to the the real MAC > address that > belongs to dst host after keeping a copy of the packet for > yourself. This > takes a certain amount of skill (though not that much with > automated tools, > see below) to do, but it is not beyond a novice. > ... > Chris Meidinger > Tullastrasse 70 > 79108 Freiburg > > > > > > > > > -------------------------------------------------------------- > ------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by > top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure > remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
